warzonerat | c1636240d330f576c7099520df66c1afae8dd95121cd9150cb2c4fa2e1f8ac66

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
Size

2.9MB
MD5

0a6c1caf5b0862c86d94bc62d71e6ca8
SHA1

deddd6ab28cd9c3e44ad9680cb0d5977b02b2282
SHA256

c1636240d330f576c7099520df66c1afae8dd95121cd9150cb2c4fa2e1f8ac66
SHA512

4bc40594db914c83eecc65fba892a9eb24a3e075d7cf0bed0de61183a5649c73e0be8a0d75fa7ffab380dfb5ad5aa47b343a449fd1430aad58179124281c317d
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH2:3Ty7A3mw4gxeOw46fUbNecCCFbNecn

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 31 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
5508	explorer.exe
4792	explorer.exe
3824	explorer.exe
5816	spoolsv.exe
4544	spoolsv.exe
5976	spoolsv.exe
5240	spoolsv.exe
3168	spoolsv.exe
1784	spoolsv.exe
3940	spoolsv.exe
1496	spoolsv.exe
4508	spoolsv.exe
6060	spoolsv.exe
2264	spoolsv.exe
3284	spoolsv.exe
3792	spoolsv.exe
3716	spoolsv.exe
2628	spoolsv.exe
4764	spoolsv.exe
4528	spoolsv.exe
2688	spoolsv.exe
3056	spoolsv.exe
4652	spoolsv.exe
4668	spoolsv.exe
1348	spoolsv.exe
3808	spoolsv.exe
5796	spoolsv.exe
5620	spoolsv.exe
512	spoolsv.exe
5952	spoolsv.exe
5276	spoolsv.exe
456	spoolsv.exe
2320	spoolsv.exe
5752	spoolsv.exe
3624	spoolsv.exe
5096	spoolsv.exe
5504	spoolsv.exe
944	spoolsv.exe
1352	spoolsv.exe
4020	spoolsv.exe
2204	spoolsv.exe
6024	spoolsv.exe
1132	spoolsv.exe
4120	spoolsv.exe
1380	spoolsv.exe
2136	spoolsv.exe
4344	spoolsv.exe
6044	spoolsv.exe
4428	spoolsv.exe
3096	spoolsv.exe
3348	spoolsv.exe
5668	spoolsv.exe
960	spoolsv.exe
3708	spoolsv.exe
5684	spoolsv.exe
4660	spoolsv.exe
3572	spoolsv.exe
1192	spoolsv.exe
1960	spoolsv.exe
2972	spoolsv.exe
548	spoolsv.exe
664	spoolsv.exe
2384	spoolsv.exe
624	spoolsv.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 56 IoCs

Processes:

0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 3280 set thread context of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 set thread context of 5352	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 set thread context of 4704	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	diskperf.exe
PID 5508 set thread context of 4792	5508	explorer.exe	explorer.exe
PID 4792 set thread context of 3824	4792	explorer.exe	explorer.exe
PID 5816 set thread context of 4544	5816	spoolsv.exe	spoolsv.exe
PID 5976 set thread context of 5240	5976	spoolsv.exe	spoolsv.exe
PID 3168 set thread context of 1784	3168	spoolsv.exe	spoolsv.exe
PID 3940 set thread context of 1496	3940	spoolsv.exe	spoolsv.exe
PID 4508 set thread context of 6060	4508	spoolsv.exe	spoolsv.exe
PID 2264 set thread context of 3284	2264	spoolsv.exe	spoolsv.exe
PID 3792 set thread context of 3716	3792	spoolsv.exe	spoolsv.exe
PID 2628 set thread context of 4764	2628	spoolsv.exe	spoolsv.exe
PID 4528 set thread context of 2688	4528	spoolsv.exe	spoolsv.exe
PID 3056 set thread context of 4652	3056	spoolsv.exe	spoolsv.exe
PID 4668 set thread context of 1348	4668	spoolsv.exe	spoolsv.exe
PID 3808 set thread context of 5796	3808	spoolsv.exe	spoolsv.exe
PID 5620 set thread context of 512	5620	spoolsv.exe	spoolsv.exe
PID 5952 set thread context of 5276	5952	spoolsv.exe	spoolsv.exe
PID 456 set thread context of 2320	456	spoolsv.exe	spoolsv.exe
PID 5752 set thread context of 3624	5752	spoolsv.exe	spoolsv.exe
PID 5096 set thread context of 5504	5096	spoolsv.exe	spoolsv.exe
PID 944 set thread context of 1352	944	spoolsv.exe	spoolsv.exe
PID 4020 set thread context of 2204	4020	spoolsv.exe	spoolsv.exe
PID 6024 set thread context of 1132	6024	spoolsv.exe	spoolsv.exe
PID 4120 set thread context of 1380	4120	spoolsv.exe	spoolsv.exe
PID 2136 set thread context of 4344	2136	spoolsv.exe	spoolsv.exe
PID 6044 set thread context of 4428	6044	spoolsv.exe	spoolsv.exe
PID 3096 set thread context of 3348	3096	spoolsv.exe	spoolsv.exe
PID 5668 set thread context of 960	5668	spoolsv.exe	spoolsv.exe
PID 3708 set thread context of 5684	3708	spoolsv.exe	spoolsv.exe
PID 4660 set thread context of 3572	4660	spoolsv.exe	spoolsv.exe
PID 1192 set thread context of 1960	1192	spoolsv.exe	spoolsv.exe
PID 2972 set thread context of 548	2972	spoolsv.exe	spoolsv.exe
PID 5240 set thread context of 2400	5240	spoolsv.exe	spoolsv.exe
PID 5240 set thread context of 5388	5240	spoolsv.exe	diskperf.exe
PID 1348 set thread context of 2172	1348	spoolsv.exe	spoolsv.exe
PID 1348 set thread context of 6116	1348	spoolsv.exe	diskperf.exe
PID 1784 set thread context of 1144	1784	spoolsv.exe	spoolsv.exe
PID 1784 set thread context of 4656	1784	spoolsv.exe	diskperf.exe
PID 6060 set thread context of 4392	6060	spoolsv.exe	spoolsv.exe
PID 6060 set thread context of 5160	6060	spoolsv.exe	diskperf.exe
PID 3284 set thread context of 2756	3284	spoolsv.exe	spoolsv.exe
PID 4544 set thread context of 3240	4544	spoolsv.exe	spoolsv.exe
PID 5796 set thread context of 2884	5796	spoolsv.exe	spoolsv.exe
PID 1496 set thread context of 3120	1496	spoolsv.exe	spoolsv.exe
PID 4652 set thread context of 1416	4652	spoolsv.exe	spoolsv.exe
PID 2688 set thread context of 3488	2688	spoolsv.exe	spoolsv.exe
PID 5796 set thread context of 1924	5796	spoolsv.exe	diskperf.exe
PID 512 set thread context of 4580	512	spoolsv.exe	spoolsv.exe
PID 2376 set thread context of 1488	2376	explorer.exe	explorer.exe
PID 4652 set thread context of 5556	4652	spoolsv.exe	diskperf.exe
PID 2688 set thread context of 3568	2688	spoolsv.exe	diskperf.exe
PID 512 set thread context of 5976	512	spoolsv.exe	diskperf.exe
PID 4764 set thread context of 2216	4764	spoolsv.exe	spoolsv.exe
PID 4764 set thread context of 2544	4764	spoolsv.exe	diskperf.exe

Drops file in Windows directory 35 IoCs

Processes:

spoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4528 664 WerFault.exe spoolsv.exe
4268 2384 WerFault.exe spoolsv.exe
5752 624 WerFault.exe spoolsv.exe

pid	pid_target	process	target process
4528	664	WerFault.exe	spoolsv.exe
4268	2384	WerFault.exe	spoolsv.exe
5752	624	WerFault.exe	spoolsv.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exedwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

Processes:

dwm.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
5352	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
5352	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
5508	explorer.exe
5508	explorer.exe
5816	spoolsv.exe
5816	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
3824	explorer.exe
3824	explorer.exe
5976	spoolsv.exe
5976	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
3168	spoolsv.exe
3168	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
3940	spoolsv.exe
3940	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
4508	spoolsv.exe
4508	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
2264	spoolsv.exe
2264	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
3792	spoolsv.exe
3792	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
2628	spoolsv.exe
2628	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
4528	spoolsv.exe
4528	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
3056	spoolsv.exe
3056	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
4668	spoolsv.exe
4668	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
3808	spoolsv.exe
3808	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
5620	spoolsv.exe
5620	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
5952	spoolsv.exe
5952	spoolsv.exe
3824	explorer.exe
3824	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

dwm.exedwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	1116	dwm.exe
Token: SeChangeNotifyPrivilege	1116	dwm.exe
Token: 33	1116	dwm.exe
Token: SeIncBasePriorityPrivilege	1116	dwm.exe
Token: SeCreateGlobalPrivilege	380	dwm.exe
Token: SeChangeNotifyPrivilege	380	dwm.exe
Token: 33	380	dwm.exe
Token: SeIncBasePriorityPrivilege	380	dwm.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
5352	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
5352	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
5508	explorer.exe
5508	explorer.exe
3824	explorer.exe
3824	explorer.exe
5816	spoolsv.exe
5816	spoolsv.exe
3824	explorer.exe
3824	explorer.exe
5976	spoolsv.exe
5976	spoolsv.exe
3168	spoolsv.exe
3168	spoolsv.exe
3940	spoolsv.exe
3940	spoolsv.exe
4508	spoolsv.exe
4508	spoolsv.exe
2264	spoolsv.exe
2264	spoolsv.exe
3792	spoolsv.exe
3792	spoolsv.exe
2628	spoolsv.exe
2628	spoolsv.exe
4528	spoolsv.exe
4528	spoolsv.exe
3056	spoolsv.exe
3056	spoolsv.exe
4668	spoolsv.exe
4668	spoolsv.exe
3808	spoolsv.exe
3808	spoolsv.exe
5620	spoolsv.exe
5620	spoolsv.exe
5952	spoolsv.exe
5952	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe
5752	spoolsv.exe
5752	spoolsv.exe
5096	spoolsv.exe
5096	spoolsv.exe
944	spoolsv.exe
944	spoolsv.exe
4020	spoolsv.exe
4020	spoolsv.exe
6024	spoolsv.exe
6024	spoolsv.exe
4120	spoolsv.exe
4120	spoolsv.exe
2136	spoolsv.exe
2136	spoolsv.exe
6044	spoolsv.exe
6044	spoolsv.exe
3096	spoolsv.exe
3096	spoolsv.exe
5668	spoolsv.exe
5668	spoolsv.exe
3708	spoolsv.exe
3708	spoolsv.exe
4660	spoolsv.exe
4660	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 3280 wrote to memory of 4904	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	cmd.exe
PID 3280 wrote to memory of 4904	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	cmd.exe
PID 3280 wrote to memory of 4904	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	cmd.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 3280 wrote to memory of 1004	3280	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 wrote to memory of 5352	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 wrote to memory of 5352	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 wrote to memory of 5352	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 wrote to memory of 5352	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 wrote to memory of 5352	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 wrote to memory of 5352	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 wrote to memory of 5352	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 wrote to memory of 5352	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
PID 1004 wrote to memory of 4704	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	diskperf.exe
PID 1004 wrote to memory of 4704	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	diskperf.exe
PID 1004 wrote to memory of 4704	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	diskperf.exe
PID 1004 wrote to memory of 4704	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	diskperf.exe
PID 1004 wrote to memory of 4704	1004	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	diskperf.exe
PID 5352 wrote to memory of 5508	5352	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	explorer.exe
PID 5352 wrote to memory of 5508	5352	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	explorer.exe
PID 5352 wrote to memory of 5508	5352	0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe	explorer.exe
PID 5508 wrote to memory of 5496	5508	explorer.exe	cmd.exe
PID 5508 wrote to memory of 5496	5508	explorer.exe	cmd.exe
PID 5508 wrote to memory of 5496	5508	explorer.exe	cmd.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe
PID 5508 wrote to memory of 4792	5508	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:4904

C:\Users\Admin\AppData\Local\Temp\0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Temp\0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\0a6c1caf5b0862c86d94bc62d71e6ca8_JaffaCakes118.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5352

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:5496

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4792

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3240

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:5180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2400

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:4132

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:5388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:6060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4392

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:5160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:6024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2216

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1416

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2172

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:6116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:5976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:5276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4640

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:4252

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3432

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:4788

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:5504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:5684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 552
8⤵
- Program crash
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 504
8⤵
- Program crash
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 552
8⤵
- Program crash
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:5524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 664 -ip 664
1⤵
PID:2912

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2384 -ip 2384
1⤵
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 624 -ip 624
1⤵
PID:1384

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
0a6c1caf5b0862c86d94bc62d71e6ca8

SHA1
deddd6ab28cd9c3e44ad9680cb0d5977b02b2282

SHA256
c1636240d330f576c7099520df66c1afae8dd95121cd9150cb2c4fa2e1f8ac66

SHA512
4bc40594db914c83eecc65fba892a9eb24a3e075d7cf0bed0de61183a5649c73e0be8a0d75fa7ffab380dfb5ad5aa47b343a449fd1430aad58179124281c317d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
aaa70cab646272f7ba46fdc5b38fc72e

SHA1
996e49aa0e6794451dc79cb959f0ceae81afad9e

SHA256
7ebc184dd3d0477414064b822ecbf486bc61aaaece44b8d7dfc3f3bee47397ce

SHA512
4302f301991a7842113f0c2acad7b738e51a66a54386c0f2eef3b5eb604800a4327dd8a01e721c974e902ccab682db376f0c99c4cad168c75cbacb2cc1af9161

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.9MB

MD5
59c4fed9aa148506f14ebba231ec549e

SHA1
ccc1dca3b739045d98bac621ed7d16ae8355e525

SHA256
7bc58f0d8c09537e14fdb363bbb0161e3df1f9d90c68a9873e36ce5aee69a216

SHA512
4ad7942a0613f0040640e9e3ad9eead27139a06d570850e8a18f3b72c017b4222e0cdbbad403cc5d20f8cf3e78078a3d1d5526c72e1b3534f8c41384f687b0b9

Download Submit
memory/512-234-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/512-637-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/960-377-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1004-7-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1004-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1004-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1004-9-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/1004-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1004-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1004-28-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1004-5-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1004-33-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1004-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1004-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1004-10-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1004-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1132-324-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1144-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-208-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1348-509-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1352-300-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1380-335-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1416-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-632-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1496-117-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1496-628-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1496-116-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1496-120-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1496-119-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1496-118-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1496-121-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1784-517-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1784-109-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1960-412-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2204-313-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2216-631-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-675-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-260-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2400-646-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-182-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2688-634-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2756-541-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-591-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-145-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3284-555-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3348-366-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3488-596-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3572-400-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3624-703-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3624-273-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3716-157-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3824-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4344-346-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4392-525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-355-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4544-78-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4544-81-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4544-82-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4544-557-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4544-83-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4544-80-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4544-79-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4580-621-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-609-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4652-195-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4704-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4704-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4704-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4764-644-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4764-169-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4792-62-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4792-50-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4792-67-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4792-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4792-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4792-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4792-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4792-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4792-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5240-510-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5240-97-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5276-247-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5276-662-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5352-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5352-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5352-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5504-285-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5684-388-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5796-587-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5796-221-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/6060-533-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/6060-133-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download