warzonerat | ab9f060f93985cffe64d7fa7ad5ef3c39b691bb728d5c5b95eaf7a39195dcb96

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
Size

2.9MB
MD5

1209afa690c2fa47191318b11f389b4c
SHA1

e9d9cb63df59fa015ba751e044645d36bf7ff5d8
SHA256

ab9f060f93985cffe64d7fa7ad5ef3c39b691bb728d5c5b95eaf7a39195dcb96
SHA512

1c84a56e434e3d79492c76461c806efe8efadc84e6fde7e4fa9a471e52ccc0c6b50c8cd7a247e89502b46568a51e32254055df293e0cb187cc542cd0e52aad9c
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHs:3Ty7A3mw4gxeOw46fUbNecCCFbNecj

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 37 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1736	explorer.exe
344	explorer.exe
1140	explorer.exe
1204	spoolsv.exe
1460	spoolsv.exe
884	spoolsv.exe
2348	spoolsv.exe
2532	spoolsv.exe
2144	spoolsv.exe
2516	spoolsv.exe
2316	spoolsv.exe
1556	spoolsv.exe
2380	spoolsv.exe
2900	spoolsv.exe
1984	spoolsv.exe
1212	spoolsv.exe
2356	spoolsv.exe
348	spoolsv.exe
876	spoolsv.exe
884	spoolsv.exe
2596	spoolsv.exe
2152	spoolsv.exe
2504	spoolsv.exe
2304	spoolsv.exe
2464	spoolsv.exe
2828	spoolsv.exe
352	spoolsv.exe
952	spoolsv.exe
2228	spoolsv.exe
924	spoolsv.exe
1196	spoolsv.exe
3068	spoolsv.exe
2944	spoolsv.exe
2584	spoolsv.exe
2936	spoolsv.exe
2860	spoolsv.exe
1532	spoolsv.exe
1556	spoolsv.exe
1184	spoolsv.exe
632	spoolsv.exe
2176	spoolsv.exe
2676	spoolsv.exe
3036	spoolsv.exe
2168	spoolsv.exe
1704	spoolsv.exe
2436	spoolsv.exe
2656	spoolsv.exe
2568	spoolsv.exe
1600	spoolsv.exe
2304	spoolsv.exe
2580	spoolsv.exe
2916	spoolsv.exe
1716	spoolsv.exe
2784	spoolsv.exe
2976	spoolsv.exe
1708	spoolsv.exe
1832	spoolsv.exe
1444	spoolsv.exe
1860	spoolsv.exe
2620	spoolsv.exe
2684	spoolsv.exe
2120	spoolsv.exe
1440	spoolsv.exe
2024	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1740	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
1740	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
1140	explorer.exe
1140	explorer.exe
1204	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
884	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
2532	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
2516	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
1556	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
2900	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
1212	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
348	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
884	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
2152	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
2304	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
2828	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
952	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
924	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
3068	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
2584	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
2860	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
1556	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
632	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
2676	spoolsv.exe
1140	explorer.exe
1140	explorer.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 61 IoCs

Processes:

1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 1728 set thread context of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 set thread context of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 set thread context of 2724	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	diskperf.exe
PID 1736 set thread context of 344	1736	explorer.exe	explorer.exe
PID 344 set thread context of 1140	344	explorer.exe	explorer.exe
PID 344 set thread context of 2912	344	explorer.exe	diskperf.exe
PID 1204 set thread context of 1460	1204	spoolsv.exe	spoolsv.exe
PID 884 set thread context of 2348	884	spoolsv.exe	spoolsv.exe
PID 2532 set thread context of 2144	2532	spoolsv.exe	spoolsv.exe
PID 2516 set thread context of 2316	2516	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 2380	1556	spoolsv.exe	spoolsv.exe
PID 2900 set thread context of 1984	2900	spoolsv.exe	spoolsv.exe
PID 1212 set thread context of 2356	1212	spoolsv.exe	spoolsv.exe
PID 348 set thread context of 876	348	spoolsv.exe	spoolsv.exe
PID 884 set thread context of 2596	884	spoolsv.exe	spoolsv.exe
PID 2152 set thread context of 2504	2152	spoolsv.exe	spoolsv.exe
PID 2304 set thread context of 2464	2304	spoolsv.exe	spoolsv.exe
PID 2828 set thread context of 352	2828	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 2228	952	spoolsv.exe	spoolsv.exe
PID 924 set thread context of 1196	924	spoolsv.exe	spoolsv.exe
PID 3068 set thread context of 2944	3068	spoolsv.exe	spoolsv.exe
PID 2584 set thread context of 2936	2584	spoolsv.exe	spoolsv.exe
PID 2860 set thread context of 1532	2860	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 1184	1556	spoolsv.exe	spoolsv.exe
PID 632 set thread context of 2176	632	spoolsv.exe	spoolsv.exe
PID 2676 set thread context of 3036	2676	spoolsv.exe	spoolsv.exe
PID 2168 set thread context of 1704	2168	spoolsv.exe	spoolsv.exe
PID 2436 set thread context of 2656	2436	spoolsv.exe	spoolsv.exe
PID 2568 set thread context of 1600	2568	spoolsv.exe	spoolsv.exe
PID 2304 set thread context of 2580	2304	spoolsv.exe	spoolsv.exe
PID 2916 set thread context of 1716	2916	spoolsv.exe	spoolsv.exe
PID 2784 set thread context of 2976	2784	spoolsv.exe	spoolsv.exe
PID 1708 set thread context of 1832	1708	spoolsv.exe	spoolsv.exe
PID 1444 set thread context of 1860	1444	spoolsv.exe	spoolsv.exe
PID 2620 set thread context of 2684	2620	spoolsv.exe	spoolsv.exe
PID 2120 set thread context of 1440	2120	spoolsv.exe	spoolsv.exe
PID 2024 set thread context of 2496	2024	spoolsv.exe	spoolsv.exe
PID 988 set thread context of 2220	988	spoolsv.exe	spoolsv.exe
PID 1872 set thread context of 1472	1872	spoolsv.exe	spoolsv.exe
PID 1708 set thread context of 2768	1708	spoolsv.exe	spoolsv.exe
PID 2704 set thread context of 2948	2704	spoolsv.exe	spoolsv.exe
PID 2204 set thread context of 2404	2204	spoolsv.exe	spoolsv.exe
PID 2024 set thread context of 2432	2024	spoolsv.exe	spoolsv.exe
PID 2916 set thread context of 1720	2916	spoolsv.exe	spoolsv.exe
PID 1460 set thread context of 1640	1460	spoolsv.exe	spoolsv.exe
PID 1460 set thread context of 320	1460	spoolsv.exe	diskperf.exe
PID 1204 set thread context of 2008	1204	spoolsv.exe	spoolsv.exe
PID 2668 set thread context of 1988	2668	explorer.exe	explorer.exe
PID 2144 set thread context of 2488	2144	spoolsv.exe	spoolsv.exe
PID 2144 set thread context of 2680	2144	spoolsv.exe	diskperf.exe
PID 2532 set thread context of 1772	2532	spoolsv.exe	spoolsv.exe
PID 2040 set thread context of 2916	2040	explorer.exe	explorer.exe
PID 2316 set thread context of 700	2316	spoolsv.exe	spoolsv.exe
PID 2380 set thread context of 1588	2380	spoolsv.exe	spoolsv.exe
PID 2316 set thread context of 956	2316	spoolsv.exe	diskperf.exe
PID 2380 set thread context of 360	2380	spoolsv.exe	diskperf.exe
PID 2996 set thread context of 1776	2996	spoolsv.exe	spoolsv.exe
PID 1984 set thread context of 3004	1984	spoolsv.exe	spoolsv.exe
PID 1000 set thread context of 624	1000	explorer.exe	explorer.exe
PID 1984 set thread context of 1260	1984	spoolsv.exe	diskperf.exe
PID 2356 set thread context of 2024	2356	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 49 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
1740	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
1736	explorer.exe
1204	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
884	spoolsv.exe
1140	explorer.exe
2532	spoolsv.exe
1140	explorer.exe
2516	spoolsv.exe
1140	explorer.exe
1556	spoolsv.exe
1140	explorer.exe
2900	spoolsv.exe
1140	explorer.exe
1212	spoolsv.exe
1140	explorer.exe
348	spoolsv.exe
1140	explorer.exe
884	spoolsv.exe
1140	explorer.exe
2152	spoolsv.exe
1140	explorer.exe
2304	spoolsv.exe
1140	explorer.exe
2828	spoolsv.exe
1140	explorer.exe
952	spoolsv.exe
1140	explorer.exe
924	spoolsv.exe
1140	explorer.exe
3068	spoolsv.exe
1140	explorer.exe
2584	spoolsv.exe
1140	explorer.exe
2860	spoolsv.exe
1140	explorer.exe
1556	spoolsv.exe
1140	explorer.exe
632	spoolsv.exe
1140	explorer.exe
2676	spoolsv.exe
1140	explorer.exe
2168	spoolsv.exe
1140	explorer.exe
2436	spoolsv.exe
1140	explorer.exe
2568	spoolsv.exe
1140	explorer.exe
2304	spoolsv.exe
1140	explorer.exe
2916	spoolsv.exe
1140	explorer.exe
2784	spoolsv.exe
1140	explorer.exe
1708	spoolsv.exe
1140	explorer.exe
1444	spoolsv.exe
1140	explorer.exe
2620	spoolsv.exe
1140	explorer.exe
2120	spoolsv.exe
1140	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
1740	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
1740	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
1736	explorer.exe
1736	explorer.exe
1140	explorer.exe
1140	explorer.exe
1204	spoolsv.exe
1204	spoolsv.exe
1140	explorer.exe
1140	explorer.exe
884	spoolsv.exe
884	spoolsv.exe
2532	spoolsv.exe
2532	spoolsv.exe
2516	spoolsv.exe
2516	spoolsv.exe
1556	spoolsv.exe
1556	spoolsv.exe
2900	spoolsv.exe
2900	spoolsv.exe
1212	spoolsv.exe
1212	spoolsv.exe
348	spoolsv.exe
348	spoolsv.exe
884	spoolsv.exe
884	spoolsv.exe
2152	spoolsv.exe
2152	spoolsv.exe
2304	spoolsv.exe
2304	spoolsv.exe
2828	spoolsv.exe
2828	spoolsv.exe
952	spoolsv.exe
952	spoolsv.exe
924	spoolsv.exe
924	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
2584	spoolsv.exe
2584	spoolsv.exe
2860	spoolsv.exe
2860	spoolsv.exe
1556	spoolsv.exe
1556	spoolsv.exe
632	spoolsv.exe
632	spoolsv.exe
2676	spoolsv.exe
2676	spoolsv.exe
2168	spoolsv.exe
2168	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2568	spoolsv.exe
2568	spoolsv.exe
2304	spoolsv.exe
2304	spoolsv.exe
2916	spoolsv.exe
2916	spoolsv.exe
2784	spoolsv.exe
2784	spoolsv.exe
1708	spoolsv.exe
1708	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 1728 wrote to memory of 1856	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	cmd.exe
PID 1728 wrote to memory of 1856	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	cmd.exe
PID 1728 wrote to memory of 1856	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	cmd.exe
PID 1728 wrote to memory of 1856	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	cmd.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1728 wrote to memory of 1608	1728	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 1740	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
PID 1608 wrote to memory of 2724	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	diskperf.exe
PID 1608 wrote to memory of 2724	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	diskperf.exe
PID 1608 wrote to memory of 2724	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	diskperf.exe
PID 1608 wrote to memory of 2724	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	diskperf.exe
PID 1608 wrote to memory of 2724	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	diskperf.exe
PID 1608 wrote to memory of 2724	1608	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	diskperf.exe
PID 1740 wrote to memory of 1736	1740	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	explorer.exe
PID 1740 wrote to memory of 1736	1740	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	explorer.exe
PID 1740 wrote to memory of 1736	1740	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	explorer.exe
PID 1740 wrote to memory of 1736	1740	1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe	explorer.exe
PID 1736 wrote to memory of 2276	1736	explorer.exe	cmd.exe
PID 1736 wrote to memory of 2276	1736	explorer.exe	cmd.exe
PID 1736 wrote to memory of 2276	1736	explorer.exe	cmd.exe
PID 1736 wrote to memory of 2276	1736	explorer.exe	cmd.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe
PID 1736 wrote to memory of 344	1736	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1856

C:\Users\Admin\AppData\Local\Temp\1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1209afa690c2fa47191318b11f389b4c_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2276

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:344

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1640

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1620

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1200

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2488

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2400

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:700

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1588

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2744

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1648

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1516

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2412

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1668

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2744

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
1209afa690c2fa47191318b11f389b4c

SHA1
e9d9cb63df59fa015ba751e044645d36bf7ff5d8

SHA256
ab9f060f93985cffe64d7fa7ad5ef3c39b691bb728d5c5b95eaf7a39195dcb96

SHA512
1c84a56e434e3d79492c76461c806efe8efadc84e6fde7e4fa9a471e52ccc0c6b50c8cd7a247e89502b46568a51e32254055df293e0cb187cc542cd0e52aad9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
da1c6fd9d759609f00837b30e7417d67

SHA1
ddbf7352942ed0da6b983e6d350d513a8ac78187

SHA256
e4c81bcdb1c418b2ad81cb7489fdf98004af27e1403518d05f1628d3b2164369

SHA512
3bf7b7d057c70b7cedbd67a2ae4455647cb851c9921d7151b1714587757b0423e024b6ca6bdb80a66dcbe170200b607bd1bc6b32191c01489b63fb9456a2d79c

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
7a4ec2862a57a7e8f8f30634c612e9e3

SHA1
5a4950e9755edf009e9b16435561323443efed96

SHA256
ebfc2bada1d97c1c1d1d88d0d5060773913c3072bef2263c1997b4ca5264c5a3

SHA512
d8359698f05a0b4dc2805bfe736049d88f52ba604c32af13d27c015b50ff5cebfb9abde0242cd5d391e614aa6b13a686e70950ce35ce71f6c69f51c38d698a2a

Download Submit
memory/344-146-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/344-174-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/352-788-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/352-2895-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/876-591-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/876-2576-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1196-880-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1460-242-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1460-2030-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1532-1020-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1608-41-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1608-51-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1608-47-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1608-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1608-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-34-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-50-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1608-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-48-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1608-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-37-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1608-87-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1608-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-49-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1608-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1608-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1740-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-485-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1984-2493-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2144-2156-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2144-338-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2228-834-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2228-2951-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2316-388-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2316-2309-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2348-286-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2348-2110-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2356-540-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2356-2508-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2380-438-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2380-2323-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2464-741-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2464-2806-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2504-694-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2504-2787-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2596-2643-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2596-641-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2724-82-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2936-974-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2944-925-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download