warzonerat | 6eece4806c8bf747902d294b848541c47b364d234e0ae5940422cfe6d43b50ae

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
Size

2.9MB
MD5

05ed34336a57c32067b70dad6ed34053
SHA1

1fb2309fb291e65b7597638a55d1891cb90d26d7
SHA256

6eece4806c8bf747902d294b848541c47b364d234e0ae5940422cfe6d43b50ae
SHA512

9e2306065c70ae266ba96d1d2d83081ffa89e300f88a41ed786645a6cffd6031362885850461caee9069578755631901def0421fc32e21e29908c49e159f9666
SSDEEP

24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHx:ATU7AAmw4gxeOw46fUbNecCCFbNecG

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 28 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1972	explorer.exe
2336	explorer.exe
540	explorer.exe
1944	spoolsv.exe
1620	spoolsv.exe
2812	spoolsv.exe
1968	spoolsv.exe
1028	spoolsv.exe
2648	spoolsv.exe
2908	spoolsv.exe
1976	spoolsv.exe
1964	spoolsv.exe
2376	spoolsv.exe
2036	spoolsv.exe
768	spoolsv.exe
1836	spoolsv.exe
1564	spoolsv.exe
2356	spoolsv.exe
1000	spoolsv.exe
2560	spoolsv.exe
2580	spoolsv.exe
2700	spoolsv.exe
2632	spoolsv.exe
1660	spoolsv.exe
280	spoolsv.exe
1712	spoolsv.exe
688	spoolsv.exe
2144	spoolsv.exe
1388	spoolsv.exe
1944	spoolsv.exe
2360	spoolsv.exe
2476	spoolsv.exe
1832	spoolsv.exe
1584	spoolsv.exe
1012	spoolsv.exe
2176	spoolsv.exe
2464	spoolsv.exe
1720	spoolsv.exe
1636	spoolsv.exe
2260	spoolsv.exe
1692	spoolsv.exe
764	spoolsv.exe
960	spoolsv.exe
1488	spoolsv.exe
1680	spoolsv.exe
2800	spoolsv.exe
2740	spoolsv.exe
3000	spoolsv.exe
2876	spoolsv.exe
2536	spoolsv.exe
2656	spoolsv.exe
1200	spoolsv.exe
2304	spoolsv.exe
2092	spoolsv.exe
1320	spoolsv.exe
1944	spoolsv.exe
2584	spoolsv.exe
2596	spoolsv.exe
1060	spoolsv.exe
2236	spoolsv.exe
2688	spoolsv.exe
1132	spoolsv.exe
2272	spoolsv.exe
1972	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2224	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
2224	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
540	explorer.exe
540	explorer.exe
1944	spoolsv.exe
540	explorer.exe
540	explorer.exe
2812	spoolsv.exe
540	explorer.exe
540	explorer.exe
1028	spoolsv.exe
540	explorer.exe
540	explorer.exe
2908	spoolsv.exe
540	explorer.exe
540	explorer.exe
1964	spoolsv.exe
540	explorer.exe
540	explorer.exe
2036	spoolsv.exe
540	explorer.exe
540	explorer.exe
1836	spoolsv.exe
540	explorer.exe
540	explorer.exe
2356	spoolsv.exe
540	explorer.exe
540	explorer.exe
2560	spoolsv.exe
540	explorer.exe
540	explorer.exe
2700	spoolsv.exe
540	explorer.exe
540	explorer.exe
1660	spoolsv.exe
540	explorer.exe
540	explorer.exe
1712	spoolsv.exe
540	explorer.exe
540	explorer.exe
2144	spoolsv.exe
540	explorer.exe
540	explorer.exe
1944	spoolsv.exe
540	explorer.exe
540	explorer.exe
2476	spoolsv.exe
540	explorer.exe
540	explorer.exe
1584	spoolsv.exe
540	explorer.exe
540	explorer.exe
2176	spoolsv.exe
540	explorer.exe
540	explorer.exe
1720	spoolsv.exe
540	explorer.exe
540	explorer.exe
2260	spoolsv.exe
540	explorer.exe
540	explorer.exe
764	spoolsv.exe
540	explorer.exe
540	explorer.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1256-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1256-43-0x0000000000400000-0x0000000000446000-memory.dmp	upx
C:\Windows\system\explorer.exe	upx
behavioral1/memory/1972-104-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1972-148-0x0000000000400000-0x0000000000446000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	upx
\Windows\system\spoolsv.exe	upx
behavioral1/memory/540-194-0x0000000003220000-0x0000000003266000-memory.dmp	upx
behavioral1/memory/2812-257-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1944-245-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1028-308-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2908-359-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1964-410-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2036-464-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1836-518-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2356-571-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/540-625-0x0000000003220000-0x0000000003266000-memory.dmp	upx
behavioral1/memory/2560-627-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2700-684-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/540-682-0x0000000003220000-0x0000000003266000-memory.dmp	upx
behavioral1/memory/1660-738-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1256 set thread context of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 set thread context of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 set thread context of 2772	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	diskperf.exe
PID 1972 set thread context of 2336	1972	explorer.exe	explorer.exe
PID 2336 set thread context of 540	2336	explorer.exe	explorer.exe
PID 2336 set thread context of 1948	2336	explorer.exe	diskperf.exe
PID 1944 set thread context of 1620	1944	spoolsv.exe	spoolsv.exe
PID 2812 set thread context of 1968	2812	spoolsv.exe	spoolsv.exe
PID 1028 set thread context of 2648	1028	spoolsv.exe	spoolsv.exe
PID 2908 set thread context of 1976	2908	spoolsv.exe	spoolsv.exe
PID 1964 set thread context of 2376	1964	spoolsv.exe	spoolsv.exe
PID 2036 set thread context of 768	2036	spoolsv.exe	spoolsv.exe
PID 1836 set thread context of 1564	1836	spoolsv.exe	spoolsv.exe
PID 2356 set thread context of 1000	2356	spoolsv.exe	spoolsv.exe
PID 2560 set thread context of 2580	2560	spoolsv.exe	spoolsv.exe
PID 2700 set thread context of 2632	2700	spoolsv.exe	spoolsv.exe
PID 1660 set thread context of 280	1660	spoolsv.exe	spoolsv.exe
PID 1712 set thread context of 688	1712	spoolsv.exe	spoolsv.exe
PID 2144 set thread context of 1388	2144	spoolsv.exe	spoolsv.exe
PID 1944 set thread context of 2360	1944	spoolsv.exe	spoolsv.exe
PID 2476 set thread context of 1832	2476	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 1012	1584	spoolsv.exe	spoolsv.exe
PID 2176 set thread context of 2464	2176	spoolsv.exe	spoolsv.exe
PID 1720 set thread context of 1636	1720	spoolsv.exe	spoolsv.exe
PID 2260 set thread context of 1692	2260	spoolsv.exe	spoolsv.exe
PID 764 set thread context of 960	764	spoolsv.exe	spoolsv.exe
PID 1488 set thread context of 1680	1488	spoolsv.exe	spoolsv.exe
PID 2800 set thread context of 2740	2800	spoolsv.exe	spoolsv.exe
PID 3000 set thread context of 2876	3000	spoolsv.exe	spoolsv.exe
PID 2536 set thread context of 2656	2536	spoolsv.exe	spoolsv.exe
PID 1200 set thread context of 2304	1200	spoolsv.exe	spoolsv.exe
PID 2092 set thread context of 1320	2092	spoolsv.exe	spoolsv.exe
PID 1944 set thread context of 2584	1944	spoolsv.exe	spoolsv.exe
PID 2596 set thread context of 1060	2596	spoolsv.exe	spoolsv.exe
PID 2236 set thread context of 2688	2236	spoolsv.exe	spoolsv.exe
PID 1132 set thread context of 2272	1132	spoolsv.exe	spoolsv.exe
PID 1972 set thread context of 2292	1972	spoolsv.exe	spoolsv.exe
PID 1736 set thread context of 588	1736	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 564	1620	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 2076	1620	spoolsv.exe	diskperf.exe
PID 1512 set thread context of 2852	1512	spoolsv.exe	spoolsv.exe
PID 1968 set thread context of 2652	1968	spoolsv.exe	spoolsv.exe
PID 1968 set thread context of 1668	1968	spoolsv.exe	diskperf.exe
PID 1944 set thread context of 3064	1944	explorer.exe	explorer.exe
PID 2168 set thread context of 2488	2168	spoolsv.exe	spoolsv.exe
PID 2648 set thread context of 1132	2648	spoolsv.exe	spoolsv.exe
PID 2648 set thread context of 1592	2648	spoolsv.exe	diskperf.exe
PID 1976 set thread context of 1492	1976	spoolsv.exe	spoolsv.exe
PID 1976 set thread context of 864	1976	spoolsv.exe	diskperf.exe
PID 2940 set thread context of 1144	2940	explorer.exe	explorer.exe
PID 1736 set thread context of 1536	1736	spoolsv.exe	spoolsv.exe
PID 2376 set thread context of 2476	2376	spoolsv.exe	spoolsv.exe
PID 2376 set thread context of 1584	2376	spoolsv.exe	diskperf.exe
PID 2804 set thread context of 1612	2804	spoolsv.exe	spoolsv.exe
PID 768 set thread context of 2156	768	spoolsv.exe	spoolsv.exe
PID 768 set thread context of 2264	768	spoolsv.exe	diskperf.exe
PID 1260 set thread context of 2104	1260	explorer.exe	explorer.exe
PID 2176 set thread context of 1308	2176	spoolsv.exe	spoolsv.exe
PID 1564 set thread context of 604	1564	spoolsv.exe	spoolsv.exe
PID 1564 set thread context of 2036	1564	spoolsv.exe	diskperf.exe
PID 1000 set thread context of 2784	1000	spoolsv.exe	spoolsv.exe
PID 1000 set thread context of 2768	1000	spoolsv.exe	diskperf.exe
PID 2324 set thread context of 1688	2324	spoolsv.exe	spoolsv.exe
PID 2580 set thread context of 2744	2580	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 53 IoCs

Processes:

05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
2224	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
1972	explorer.exe
1944	spoolsv.exe
540	explorer.exe
540	explorer.exe
2812	spoolsv.exe
540	explorer.exe
1028	spoolsv.exe
540	explorer.exe
2908	spoolsv.exe
540	explorer.exe
1964	spoolsv.exe
540	explorer.exe
2036	spoolsv.exe
540	explorer.exe
1836	spoolsv.exe
540	explorer.exe
2356	spoolsv.exe
540	explorer.exe
2560	spoolsv.exe
540	explorer.exe
2700	spoolsv.exe
540	explorer.exe
1660	spoolsv.exe
540	explorer.exe
1712	spoolsv.exe
540	explorer.exe
2144	spoolsv.exe
540	explorer.exe
1944	spoolsv.exe
540	explorer.exe
2476	spoolsv.exe
540	explorer.exe
1584	spoolsv.exe
540	explorer.exe
2176	spoolsv.exe
540	explorer.exe
1720	spoolsv.exe
540	explorer.exe
2260	spoolsv.exe
540	explorer.exe
764	spoolsv.exe
540	explorer.exe
1488	spoolsv.exe
540	explorer.exe
2800	spoolsv.exe
540	explorer.exe
3000	spoolsv.exe
540	explorer.exe
2536	spoolsv.exe
540	explorer.exe
1200	spoolsv.exe
540	explorer.exe
2092	spoolsv.exe
540	explorer.exe
1944	spoolsv.exe
540	explorer.exe
2596	spoolsv.exe
540	explorer.exe
2236	spoolsv.exe
540	explorer.exe
1132	spoolsv.exe
540	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
2224	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
2224	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
1972	explorer.exe
1972	explorer.exe
540	explorer.exe
540	explorer.exe
1944	spoolsv.exe
1944	spoolsv.exe
540	explorer.exe
540	explorer.exe
2812	spoolsv.exe
2812	spoolsv.exe
1028	spoolsv.exe
1028	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
1964	spoolsv.exe
1964	spoolsv.exe
2036	spoolsv.exe
2036	spoolsv.exe
1836	spoolsv.exe
1836	spoolsv.exe
2356	spoolsv.exe
2356	spoolsv.exe
2560	spoolsv.exe
2560	spoolsv.exe
2700	spoolsv.exe
2700	spoolsv.exe
1660	spoolsv.exe
1660	spoolsv.exe
1712	spoolsv.exe
1712	spoolsv.exe
2144	spoolsv.exe
2144	spoolsv.exe
1944	spoolsv.exe
1944	spoolsv.exe
2476	spoolsv.exe
2476	spoolsv.exe
1584	spoolsv.exe
1584	spoolsv.exe
2176	spoolsv.exe
2176	spoolsv.exe
1720	spoolsv.exe
1720	spoolsv.exe
2260	spoolsv.exe
2260	spoolsv.exe
764	spoolsv.exe
764	spoolsv.exe
1488	spoolsv.exe
1488	spoolsv.exe
2800	spoolsv.exe
2800	spoolsv.exe
3000	spoolsv.exe
3000	spoolsv.exe
2536	spoolsv.exe
2536	spoolsv.exe
1200	spoolsv.exe
1200	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
1944	spoolsv.exe
1944	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 1256 wrote to memory of 1336	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	cmd.exe
PID 1256 wrote to memory of 1336	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	cmd.exe
PID 1256 wrote to memory of 1336	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	cmd.exe
PID 1256 wrote to memory of 1336	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	cmd.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 1256 wrote to memory of 2204	1256	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2224	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
PID 2204 wrote to memory of 2772	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	diskperf.exe
PID 2204 wrote to memory of 2772	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	diskperf.exe
PID 2204 wrote to memory of 2772	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	diskperf.exe
PID 2204 wrote to memory of 2772	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	diskperf.exe
PID 2204 wrote to memory of 2772	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	diskperf.exe
PID 2204 wrote to memory of 2772	2204	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	diskperf.exe
PID 2224 wrote to memory of 1972	2224	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	explorer.exe
PID 2224 wrote to memory of 1972	2224	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	explorer.exe
PID 2224 wrote to memory of 1972	2224	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	explorer.exe
PID 2224 wrote to memory of 1972	2224	05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe	explorer.exe
PID 1972 wrote to memory of 2028	1972	explorer.exe	cmd.exe
PID 1972 wrote to memory of 2028	1972	explorer.exe	cmd.exe
PID 1972 wrote to memory of 2028	1972	explorer.exe	cmd.exe
PID 1972 wrote to memory of 2028	1972	explorer.exe	cmd.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe
PID 1972 wrote to memory of 2336	1972	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1336

C:\Users\Admin\AppData\Local\Temp\05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2028

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2336

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:564

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2352

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1132

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:956

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1492

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2476

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2928

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2784

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1808

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2744

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2896

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:496

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2100

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2128

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2772

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
2.9MB

MD5
05ed34336a57c32067b70dad6ed34053

SHA1
1fb2309fb291e65b7597638a55d1891cb90d26d7

SHA256
6eece4806c8bf747902d294b848541c47b364d234e0ae5940422cfe6d43b50ae

SHA512
9e2306065c70ae266ba96d1d2d83081ffa89e300f88a41ed786645a6cffd6031362885850461caee9069578755631901def0421fc32e21e29908c49e159f9666

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\system\explorer.exe
Filesize
2.9MB

MD5
e5eb1e9025791ea93801a84ddd760182

SHA1
bf3da333d5ee9019ebc813b6c2afe09bc33a633a

SHA256
59054a2f41c87f48508c70004bc6d766ce7403e33e3dbb8b00046a3bc41a6a59

SHA512
143afa818fc3f1924bbded6d06c6f05af5d34c89927ef712effed4548c6bdd48b37ae36dee84118f38c843d207cf6136b145b34c5950e946771eeae0a37dce58

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.9MB

MD5
fc5a043b33b80e37c3660cef780a9f24

SHA1
11f646a6bf3c1618dd8856f9e725255b8ab9d41d

SHA256
2ad8ee979a814cab2a9a9b0482204aee294ab6971fd33022770d2cbdb7e5b0c9

SHA512
8c05505a5c263b72f1d4d663daa3c57be0d67bbd77e344d18d89372c1dcbc07b23eb059f65d8e0e4e59652327bc6ba3f82ae9b2c067d71e0a8edfeb4c8def706

Download Submit
memory/540-575-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-463-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-569-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-194-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-2616-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-1581-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-1582-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-1236-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-737-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-454-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-681-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-682-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-686-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-462-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-200-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-516-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-625-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-574-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/540-2615-0x0000000003220000-0x0000000003266000-memory.dmp

Filesize
280KB

Download
memory/768-2221-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/768-510-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1000-626-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1000-2341-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1028-308-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1256-5-0x0000000000390000-0x00000000003D6000-memory.dmp

Filesize
280KB

Download
memory/1256-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1256-43-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1564-2318-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1564-561-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1620-1786-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1620-256-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1660-738-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1836-530-0x0000000001DD0000-0x0000000001E16000-memory.dmp

Filesize
280KB

Download
memory/1836-518-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1944-245-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1964-410-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1968-1869-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1968-307-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1972-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1972-148-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1976-409-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1976-2018-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2036-464-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2204-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-51-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-2-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2204-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-91-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2204-92-0x0000000007200000-0x0000000007212000-memory.dmp

Filesize
72KB

Download
memory/2204-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2204-50-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-90-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-52-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2204-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-72-0x0000000007200000-0x0000000007246000-memory.dmp

Filesize
280KB

Download
memory/2204-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2204-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2204-33-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2204-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2204-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-53-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2204-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2204-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2224-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-103-0x0000000003200000-0x0000000003246000-memory.dmp

Filesize
280KB

Download
memory/2224-102-0x0000000003200000-0x0000000003246000-memory.dmp

Filesize
280KB

Download
memory/2224-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2336-186-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2336-157-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2356-571-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2376-461-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2376-2133-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2560-646-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/2560-627-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2580-683-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2580-2408-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2632-734-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2632-2542-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2648-358-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2648-1982-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2700-684-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2772-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2812-257-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2908-359-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads