warzonerat | b741d1e8e596bf554521fa1c03c39b2c9bd55ada7902f4e8662d96b496ebaec2

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
Size

2.9MB
MD5

0f8eff07564e439dc3c1759006449bca
SHA1

665e661345128f0fea75f475d6d3a0b716f493e3
SHA256

b741d1e8e596bf554521fa1c03c39b2c9bd55ada7902f4e8662d96b496ebaec2
SHA512

9860fe229a0111502851aa6ca8002f330c81d01a5819f53a0fe46ebeac731a2ad412244c4f025708bc5210f05d11608305fc3a9d7d35287efdebc8208451c093
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHC:3Ty7A3mw4gxeOw46fUbNecCCFbNecP

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 32 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
852	explorer.exe
2740	explorer.exe
1812	explorer.exe
332	spoolsv.exe
2016	spoolsv.exe
2208	spoolsv.exe
1716	spoolsv.exe
2168	spoolsv.exe
2840	spoolsv.exe
2448	spoolsv.exe
1676	spoolsv.exe
2412	spoolsv.exe
2152	spoolsv.exe
1740	spoolsv.exe
684	spoolsv.exe
2004	spoolsv.exe
792	spoolsv.exe
2968	spoolsv.exe
1216	spoolsv.exe
2280	spoolsv.exe
2304	spoolsv.exe
2696	spoolsv.exe
3060	spoolsv.exe
2608	spoolsv.exe
2764	spoolsv.exe
2388	spoolsv.exe
1860	spoolsv.exe
1168	spoolsv.exe
2180	spoolsv.exe
884	spoolsv.exe
1052	spoolsv.exe
1644	spoolsv.exe
2584	spoolsv.exe
2232	spoolsv.exe
2480	spoolsv.exe
2680	spoolsv.exe
2780	spoolsv.exe
672	spoolsv.exe
1876	spoolsv.exe
1496	spoolsv.exe
2188	spoolsv.exe
108	spoolsv.exe
1604	spoolsv.exe
452	spoolsv.exe
2560	spoolsv.exe
2444	spoolsv.exe
2476	spoolsv.exe
2696	spoolsv.exe
2612	spoolsv.exe
2052	spoolsv.exe
1784	spoolsv.exe
2196	spoolsv.exe
2384	spoolsv.exe
1416	spoolsv.exe
1164	spoolsv.exe
2592	spoolsv.exe
2684	spoolsv.exe
2856	spoolsv.exe
2724	spoolsv.exe
1288	spoolsv.exe
2760	spoolsv.exe
2680	spoolsv.exe
1744	spoolsv.exe
2796	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2508	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
2508	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
1812	explorer.exe
1812	explorer.exe
332	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2208	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2168	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2448	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2412	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
1740	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2004	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2968	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2280	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2696	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2608	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2388	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
1168	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
884	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
1644	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2232	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2680	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
672	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
1496	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
108	spoolsv.exe
1812	explorer.exe
1812	explorer.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 1988 set thread context of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 set thread context of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 set thread context of 2604	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	diskperf.exe
PID 852 set thread context of 2740	852	explorer.exe	explorer.exe
PID 2740 set thread context of 1812	2740	explorer.exe	explorer.exe
PID 2740 set thread context of 2404	2740	explorer.exe	diskperf.exe
PID 332 set thread context of 2016	332	spoolsv.exe	spoolsv.exe
PID 2208 set thread context of 1716	2208	spoolsv.exe	spoolsv.exe
PID 2168 set thread context of 2840	2168	spoolsv.exe	spoolsv.exe
PID 2448 set thread context of 1676	2448	spoolsv.exe	spoolsv.exe
PID 2412 set thread context of 2152	2412	spoolsv.exe	spoolsv.exe
PID 1740 set thread context of 684	1740	spoolsv.exe	spoolsv.exe
PID 2004 set thread context of 792	2004	spoolsv.exe	spoolsv.exe
PID 2968 set thread context of 1216	2968	spoolsv.exe	spoolsv.exe
PID 2280 set thread context of 2304	2280	spoolsv.exe	spoolsv.exe
PID 2696 set thread context of 3060	2696	spoolsv.exe	spoolsv.exe
PID 2608 set thread context of 2764	2608	spoolsv.exe	spoolsv.exe
PID 2388 set thread context of 1860	2388	spoolsv.exe	spoolsv.exe
PID 1168 set thread context of 2180	1168	spoolsv.exe	cmd.exe
PID 884 set thread context of 1052	884	spoolsv.exe	spoolsv.exe
PID 1644 set thread context of 2584	1644	spoolsv.exe	spoolsv.exe
PID 2232 set thread context of 2480	2232	spoolsv.exe	spoolsv.exe
PID 2680 set thread context of 2780	2680	spoolsv.exe	spoolsv.exe
PID 672 set thread context of 1876	672	spoolsv.exe	spoolsv.exe
PID 1496 set thread context of 2188	1496	spoolsv.exe	spoolsv.exe
PID 108 set thread context of 1604	108	spoolsv.exe	spoolsv.exe
PID 452 set thread context of 2560	452	spoolsv.exe	spoolsv.exe
PID 2444 set thread context of 2476	2444	spoolsv.exe	spoolsv.exe
PID 2696 set thread context of 2612	2696	spoolsv.exe	spoolsv.exe
PID 2052 set thread context of 1784	2052	spoolsv.exe	spoolsv.exe
PID 2196 set thread context of 2384	2196	spoolsv.exe	spoolsv.exe
PID 1416 set thread context of 1164	1416	spoolsv.exe	spoolsv.exe
PID 2592 set thread context of 2684	2592	spoolsv.exe	spoolsv.exe
PID 2856 set thread context of 2724	2856	spoolsv.exe	spoolsv.exe
PID 1288 set thread context of 2760	1288	spoolsv.exe	spoolsv.exe
PID 2680 set thread context of 1744	2680	spoolsv.exe	spoolsv.exe
PID 2796 set thread context of 2512	2796	spoolsv.exe	spoolsv.exe
PID 892 set thread context of 804	892	spoolsv.exe	spoolsv.exe
PID 1408 set thread context of 2976	1408	spoolsv.exe	spoolsv.exe
PID 3016 set thread context of 2564	3016	spoolsv.exe	spoolsv.exe
PID 2552 set thread context of 2132	2552	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 2988	1584	spoolsv.exe	spoolsv.exe
PID 2884 set thread context of 2240	2884	spoolsv.exe	spoolsv.exe
PID 2876 set thread context of 896	2876	spoolsv.exe	spoolsv.exe
PID 2016 set thread context of 1644	2016	spoolsv.exe	spoolsv.exe
PID 2016 set thread context of 3052	2016	spoolsv.exe	diskperf.exe
PID 1988 set thread context of 2968	1988	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 1544	1716	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 1472	1716	spoolsv.exe	diskperf.exe
PID 2840 set thread context of 2060	2840	spoolsv.exe	spoolsv.exe
PID 2904 set thread context of 2728	2904	explorer.exe	explorer.exe
PID 2840 set thread context of 1736	2840	spoolsv.exe	diskperf.exe
PID 1748 set thread context of 2056	1748	spoolsv.exe	spoolsv.exe
PID 1676 set thread context of 1764	1676	spoolsv.exe	spoolsv.exe
PID 1676 set thread context of 2656	1676	spoolsv.exe	diskperf.exe
PID 580 set thread context of 2136	580	spoolsv.exe	spoolsv.exe
PID 2152 set thread context of 884	2152	spoolsv.exe	spoolsv.exe
PID 2152 set thread context of 1064	2152	spoolsv.exe	diskperf.exe
PID 2392 set thread context of 1616	2392	spoolsv.exe	spoolsv.exe
PID 684 set thread context of 2940	684	spoolsv.exe	spoolsv.exe
PID 684 set thread context of 2400	684	spoolsv.exe	diskperf.exe
PID 2832 set thread context of 1884	2832	explorer.exe	explorer.exe
PID 792 set thread context of 2608	792	spoolsv.exe	spoolsv.exe
PID 792 set thread context of 3036	792	spoolsv.exe	diskperf.exe

Drops file in Windows directory 56 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
2508	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
852	explorer.exe
332	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2208	spoolsv.exe
1812	explorer.exe
2168	spoolsv.exe
1812	explorer.exe
2448	spoolsv.exe
1812	explorer.exe
2412	spoolsv.exe
1812	explorer.exe
1740	spoolsv.exe
1812	explorer.exe
2004	spoolsv.exe
1812	explorer.exe
2968	spoolsv.exe
1812	explorer.exe
2280	spoolsv.exe
1812	explorer.exe
2696	spoolsv.exe
1812	explorer.exe
2608	spoolsv.exe
1812	explorer.exe
2388	spoolsv.exe
1812	explorer.exe
1168	spoolsv.exe
1812	explorer.exe
884	spoolsv.exe
1812	explorer.exe
1644	spoolsv.exe
1812	explorer.exe
2232	spoolsv.exe
1812	explorer.exe
2680	spoolsv.exe
1812	explorer.exe
672	spoolsv.exe
1812	explorer.exe
1496	spoolsv.exe
1812	explorer.exe
108	spoolsv.exe
1812	explorer.exe
452	spoolsv.exe
1812	explorer.exe
2444	spoolsv.exe
1812	explorer.exe
2696	spoolsv.exe
1812	explorer.exe
2052	spoolsv.exe
1812	explorer.exe
2196	spoolsv.exe
1812	explorer.exe
1416	spoolsv.exe
1812	explorer.exe
2592	spoolsv.exe
1812	explorer.exe
2856	spoolsv.exe
1812	explorer.exe
1288	spoolsv.exe
1812	explorer.exe
2680	spoolsv.exe
1812	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
2508	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
2508	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
852	explorer.exe
852	explorer.exe
1812	explorer.exe
1812	explorer.exe
332	spoolsv.exe
332	spoolsv.exe
1812	explorer.exe
1812	explorer.exe
2208	spoolsv.exe
2208	spoolsv.exe
2168	spoolsv.exe
2168	spoolsv.exe
2448	spoolsv.exe
2448	spoolsv.exe
2412	spoolsv.exe
2412	spoolsv.exe
1740	spoolsv.exe
1740	spoolsv.exe
2004	spoolsv.exe
2004	spoolsv.exe
2968	spoolsv.exe
2968	spoolsv.exe
2280	spoolsv.exe
2280	spoolsv.exe
2696	spoolsv.exe
2696	spoolsv.exe
2608	spoolsv.exe
2608	spoolsv.exe
2388	spoolsv.exe
2388	spoolsv.exe
1168	spoolsv.exe
1168	spoolsv.exe
884	spoolsv.exe
884	spoolsv.exe
1644	spoolsv.exe
1644	spoolsv.exe
2232	spoolsv.exe
2232	spoolsv.exe
2680	spoolsv.exe
2680	spoolsv.exe
672	spoolsv.exe
672	spoolsv.exe
1496	spoolsv.exe
1496	spoolsv.exe
108	spoolsv.exe
108	spoolsv.exe
452	spoolsv.exe
452	spoolsv.exe
2444	spoolsv.exe
2444	spoolsv.exe
2696	spoolsv.exe
2696	spoolsv.exe
2052	spoolsv.exe
2052	spoolsv.exe
2196	spoolsv.exe
2196	spoolsv.exe
1416	spoolsv.exe
1416	spoolsv.exe
2592	spoolsv.exe
2592	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 1988 wrote to memory of 1932	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	cmd.exe
PID 1988 wrote to memory of 1932	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	cmd.exe
PID 1988 wrote to memory of 1932	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	cmd.exe
PID 1988 wrote to memory of 1932	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	cmd.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1988 wrote to memory of 1900	1988	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2508	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
PID 1900 wrote to memory of 2604	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	diskperf.exe
PID 1900 wrote to memory of 2604	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	diskperf.exe
PID 1900 wrote to memory of 2604	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	diskperf.exe
PID 1900 wrote to memory of 2604	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	diskperf.exe
PID 1900 wrote to memory of 2604	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	diskperf.exe
PID 1900 wrote to memory of 2604	1900	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	diskperf.exe
PID 2508 wrote to memory of 852	2508	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	explorer.exe
PID 2508 wrote to memory of 852	2508	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	explorer.exe
PID 2508 wrote to memory of 852	2508	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	explorer.exe
PID 2508 wrote to memory of 852	2508	0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe	explorer.exe
PID 852 wrote to memory of 2620	852	explorer.exe	cmd.exe
PID 852 wrote to memory of 2620	852	explorer.exe	cmd.exe
PID 852 wrote to memory of 2620	852	explorer.exe	cmd.exe
PID 852 wrote to memory of 2620	852	explorer.exe	cmd.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe
PID 852 wrote to memory of 2740	852	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1932

C:\Users\Admin\AppData\Local\Temp\0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\0f8eff07564e439dc3c1759006449bca_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2620

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2740

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1644

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2128

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2060

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:884

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1928

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:872

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1396

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2600

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2928

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:952

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2396

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2264

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2040

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2404

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1468908982-80109207-1819337483-11668155921306646924695948759-1048828237464636522"
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
0f8eff07564e439dc3c1759006449bca

SHA1
665e661345128f0fea75f475d6d3a0b716f493e3

SHA256
b741d1e8e596bf554521fa1c03c39b2c9bd55ada7902f4e8662d96b496ebaec2

SHA512
9860fe229a0111502851aa6ca8002f330c81d01a5819f53a0fe46ebeac731a2ad412244c4f025708bc5210f05d11608305fc3a9d7d35287efdebc8208451c093

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
27e23f44097d21a4683a159969c41405

SHA1
cdb7e4579e79830b5983148886abf7fad07dfc58

SHA256
c58a721fdcc7a0bbb0bc77ef0c12315f772304f851a55cae9c26a8f02d96ac07

SHA512
a778c5284bc1f53e855555ba699b51d068a4365bdc985abff87addf83811236e2afda6e07c5012a9e8706f506f3aad473ab0d22695ddc4775f626d08928af8e7

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.9MB

MD5
953f2c162e21f406bab194ebacb32e3a

SHA1
071831b6511c0e70d062f44bfbdb1655af2fef14

SHA256
a89ec412e79a3a5cd4a95c164b6e811dfd8f995751a3fe8a7995bad5ffff37d7

SHA512
5053018ea50b511a2ea46a74edcb0d90cddd6079aa04b78c360a91072b125584b8ad9755e40ed659b3ee6735eb0cb55aae29f710cc7bd5beddcc1e86183e3d8e

Download Submit
memory/684-2423-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/684-492-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/792-539-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/792-2493-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/804-1740-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1052-879-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1164-1447-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1216-591-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1216-2563-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1604-1161-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1676-387-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1676-2260-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1716-2119-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1716-289-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1744-1642-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1784-1348-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1860-788-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1860-2866-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1876-1066-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1900-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1900-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-81-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1900-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1900-47-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1900-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1900-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1900-34-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1900-48-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1900-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1900-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1900-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2016-2047-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2016-240-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2132-1889-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2152-437-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2152-2328-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2180-833-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2180-2936-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2188-1114-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2304-2634-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2304-642-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2384-1397-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2476-1256-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2480-972-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2508-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-1687-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2560-1207-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2564-1838-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2584-927-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2604-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2604-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2604-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2612-1303-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2684-1496-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2724-1547-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2740-172-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2740-144-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2760-1595-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2764-741-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2764-2772-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2780-1019-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2840-2182-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2840-340-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2976-1790-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3060-695-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3060-2703-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download