warzonerat | 3560e9c2d2d895c2a735388abcd3085ee268f80af275a3427948545dc2ead0b1

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
Size

2.9MB
MD5

12279cdfdf4e0189a5271b7e677be9d0
SHA1

0b934ab2f56675a6d8f78783e2c943a564242ac5
SHA256

3560e9c2d2d895c2a735388abcd3085ee268f80af275a3427948545dc2ead0b1
SHA512

28defab9fd6ecf384683b7468850bf3f52a20abcd3a7cd636dc483292989ec677679fefb2390ce66538f12556d6176e21ee34497b65e3edc6bf5cad8c8441e7f
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHK:3Ty7A3mw4gxeOw46fUbNecCCFbNecD

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 40 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

pid	process
1732	explorer.exe
1648	explorer.exe
1764	explorer.exe
1948	spoolsv.exe
1280	spoolsv.exe
1496	spoolsv.exe
2960	spoolsv.exe
1668	spoolsv.exe
1692	spoolsv.exe
2440	spoolsv.exe
2656	spoolsv.exe
808	spoolsv.exe
2912	spoolsv.exe
2828	spoolsv.exe
2056	spoolsv.exe
1048	spoolsv.exe
356	spoolsv.exe
2220	spoolsv.exe
1708	spoolsv.exe
2552	spoolsv.exe
3000	spoolsv.exe
2508	spoolsv.exe
2476	spoolsv.exe
1604	spoolsv.exe
2976	spoolsv.exe
1312	spoolsv.exe
2540	spoolsv.exe
1468	spoolsv.exe
2184	spoolsv.exe
3016	spoolsv.exe
1976	spoolsv.exe
2800	spoolsv.exe
3044	spoolsv.exe
2532	spoolsv.exe
2676	spoolsv.exe
2440	spoolsv.exe
2148	spoolsv.exe
2744	spoolsv.exe
2344	spoolsv.exe
664	spoolsv.exe
2504	spoolsv.exe
644	spoolsv.exe
1292	spoolsv.exe
1756	spoolsv.exe
2968	spoolsv.exe
2248	spoolsv.exe
2428	spoolsv.exe
2720	spoolsv.exe
1776	spoolsv.exe
1592	spoolsv.exe
1652	spoolsv.exe
2464	spoolsv.exe
588	spoolsv.exe
2032	spoolsv.exe
1240	spoolsv.exe
2220	spoolsv.exe
2524	spoolsv.exe
1784	spoolsv.exe
2248	spoolsv.exe
2448	spoolsv.exe
2488	spoolsv.exe
996	spoolsv.exe
1956	spoolsv.exe
872	explorer.exe

Loads dropped DLL 64 IoCs

Processes:

12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1428	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
1428	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
1764	explorer.exe
1764	explorer.exe
1948	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
1496	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
1668	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
2440	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
808	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
2828	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
1048	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
2220	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
2552	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
2508	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
1604	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
1312	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
1468	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
3016	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
2800	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
2532	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
2440	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
2744	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
664	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
644	spoolsv.exe
1764	explorer.exe
1764	explorer.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2876 set thread context of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 set thread context of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 set thread context of 2668	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	diskperf.exe
PID 1732 set thread context of 1648	1732	explorer.exe	explorer.exe
PID 1648 set thread context of 1764	1648	explorer.exe	explorer.exe
PID 1648 set thread context of 3012	1648	explorer.exe	diskperf.exe
PID 1948 set thread context of 1280	1948	spoolsv.exe	spoolsv.exe
PID 1496 set thread context of 2960	1496	spoolsv.exe	spoolsv.exe
PID 1668 set thread context of 1692	1668	spoolsv.exe	spoolsv.exe
PID 2440 set thread context of 2656	2440	spoolsv.exe	spoolsv.exe
PID 808 set thread context of 2912	808	spoolsv.exe	spoolsv.exe
PID 2828 set thread context of 2056	2828	spoolsv.exe	spoolsv.exe
PID 1048 set thread context of 356	1048	spoolsv.exe	spoolsv.exe
PID 2220 set thread context of 1708	2220	spoolsv.exe	spoolsv.exe
PID 2552 set thread context of 3000	2552	spoolsv.exe	spoolsv.exe
PID 2508 set thread context of 2476	2508	spoolsv.exe	spoolsv.exe
PID 1604 set thread context of 2976	1604	spoolsv.exe	spoolsv.exe
PID 1312 set thread context of 2540	1312	spoolsv.exe	spoolsv.exe
PID 1468 set thread context of 2184	1468	spoolsv.exe	spoolsv.exe
PID 3016 set thread context of 1976	3016	spoolsv.exe	spoolsv.exe
PID 2800 set thread context of 3044	2800	spoolsv.exe	spoolsv.exe
PID 2532 set thread context of 2676	2532	spoolsv.exe	spoolsv.exe
PID 2440 set thread context of 2148	2440	spoolsv.exe	spoolsv.exe
PID 2744 set thread context of 2344	2744	spoolsv.exe	spoolsv.exe
PID 664 set thread context of 2504	664	spoolsv.exe	spoolsv.exe
PID 644 set thread context of 1292	644	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 2968	1756	spoolsv.exe	spoolsv.exe
PID 2248 set thread context of 2428	2248	spoolsv.exe	spoolsv.exe
PID 2720 set thread context of 1776	2720	spoolsv.exe	spoolsv.exe
PID 1592 set thread context of 1652	1592	spoolsv.exe	spoolsv.exe
PID 2464 set thread context of 588	2464	spoolsv.exe	spoolsv.exe
PID 2032 set thread context of 1240	2032	spoolsv.exe	spoolsv.exe
PID 2220 set thread context of 2524	2220	spoolsv.exe	spoolsv.exe
PID 1784 set thread context of 2248	1784	spoolsv.exe	spoolsv.exe
PID 2448 set thread context of 2488	2448	spoolsv.exe	spoolsv.exe
PID 1280 set thread context of 1956	1280	spoolsv.exe	spoolsv.exe
PID 1280 set thread context of 1508	1280	spoolsv.exe	diskperf.exe
PID 996 set thread context of 1640	996	spoolsv.exe	spoolsv.exe
PID 2960 set thread context of 1080	2960	spoolsv.exe	spoolsv.exe
PID 2960 set thread context of 1988	2960	spoolsv.exe	diskperf.exe
PID 872 set thread context of 2388	872	explorer.exe	explorer.exe
PID 1920 set thread context of 1232	1920	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 2592	1692	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 2632	1692	spoolsv.exe	diskperf.exe
PID 2656 set thread context of 2796	2656	spoolsv.exe	spoolsv.exe
PID 2656 set thread context of 2536	2656	spoolsv.exe	diskperf.exe
PID 1792 set thread context of 2608	1792	spoolsv.exe	spoolsv.exe
PID 2912 set thread context of 1620	2912	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 2604	1684	explorer.exe	explorer.exe
PID 2912 set thread context of 2756	2912	spoolsv.exe	diskperf.exe
PID 2252 set thread context of 2300	2252	spoolsv.exe	spoolsv.exe
PID 2056 set thread context of 1504	2056	spoolsv.exe	spoolsv.exe
PID 2056 set thread context of 620	2056	spoolsv.exe	diskperf.exe
PID 356 set thread context of 2948	356	spoolsv.exe	spoolsv.exe
PID 356 set thread context of 644	356	spoolsv.exe	diskperf.exe
PID 1576 set thread context of 304	1576	explorer.exe	explorer.exe
PID 1840 set thread context of 2576	1840	spoolsv.exe	spoolsv.exe
PID 1708 set thread context of 2748	1708	spoolsv.exe	spoolsv.exe
PID 1708 set thread context of 2548	1708	spoolsv.exe	diskperf.exe
PID 3000 set thread context of 2904	3000	spoolsv.exe	spoolsv.exe
PID 3000 set thread context of 556	3000	spoolsv.exe	diskperf.exe
PID 2496 set thread context of 1080	2496	explorer.exe	explorer.exe
PID 1552 set thread context of 828	1552	spoolsv.exe	spoolsv.exe
PID 2476 set thread context of 2772	2476	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 47 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
1428	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
1732	explorer.exe
1948	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
1496	spoolsv.exe
1764	explorer.exe
1668	spoolsv.exe
1764	explorer.exe
2440	spoolsv.exe
1764	explorer.exe
808	spoolsv.exe
1764	explorer.exe
2828	spoolsv.exe
1764	explorer.exe
1048	spoolsv.exe
1764	explorer.exe
2220	spoolsv.exe
1764	explorer.exe
2552	spoolsv.exe
1764	explorer.exe
2508	spoolsv.exe
1764	explorer.exe
1604	spoolsv.exe
1764	explorer.exe
1312	spoolsv.exe
1764	explorer.exe
1468	spoolsv.exe
1764	explorer.exe
3016	spoolsv.exe
1764	explorer.exe
2800	spoolsv.exe
1764	explorer.exe
2532	spoolsv.exe
1764	explorer.exe
2440	spoolsv.exe
1764	explorer.exe
2744	spoolsv.exe
1764	explorer.exe
664	spoolsv.exe
1764	explorer.exe
644	spoolsv.exe
1764	explorer.exe
1756	spoolsv.exe
1764	explorer.exe
2248	spoolsv.exe
1764	explorer.exe
2720	spoolsv.exe
1764	explorer.exe
1592	spoolsv.exe
1764	explorer.exe
2464	spoolsv.exe
1764	explorer.exe
2032	spoolsv.exe
1764	explorer.exe
2220	spoolsv.exe
1764	explorer.exe
1784	spoolsv.exe
1764	explorer.exe
2448	spoolsv.exe
1764	explorer.exe
996	spoolsv.exe
1764	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
1428	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
1428	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
1732	explorer.exe
1732	explorer.exe
1764	explorer.exe
1764	explorer.exe
1948	spoolsv.exe
1948	spoolsv.exe
1764	explorer.exe
1764	explorer.exe
1496	spoolsv.exe
1496	spoolsv.exe
1668	spoolsv.exe
1668	spoolsv.exe
2440	spoolsv.exe
2440	spoolsv.exe
808	spoolsv.exe
808	spoolsv.exe
2828	spoolsv.exe
2828	spoolsv.exe
1048	spoolsv.exe
1048	spoolsv.exe
2220	spoolsv.exe
2220	spoolsv.exe
2552	spoolsv.exe
2552	spoolsv.exe
2508	spoolsv.exe
2508	spoolsv.exe
1604	spoolsv.exe
1604	spoolsv.exe
1312	spoolsv.exe
1312	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
3016	spoolsv.exe
3016	spoolsv.exe
2800	spoolsv.exe
2800	spoolsv.exe
2532	spoolsv.exe
2532	spoolsv.exe
2440	spoolsv.exe
2440	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
664	spoolsv.exe
664	spoolsv.exe
644	spoolsv.exe
644	spoolsv.exe
1756	spoolsv.exe
1756	spoolsv.exe
2248	spoolsv.exe
2248	spoolsv.exe
2720	spoolsv.exe
2720	spoolsv.exe
1592	spoolsv.exe
1592	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2032	spoolsv.exe
2032	spoolsv.exe
2220	spoolsv.exe
2220	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2876 wrote to memory of 2968	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2968	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2968	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2968	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 2876 wrote to memory of 3028	2876	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 1428	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
PID 3028 wrote to memory of 2668	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	diskperf.exe
PID 3028 wrote to memory of 2668	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	diskperf.exe
PID 3028 wrote to memory of 2668	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	diskperf.exe
PID 3028 wrote to memory of 2668	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	diskperf.exe
PID 3028 wrote to memory of 2668	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	diskperf.exe
PID 3028 wrote to memory of 2668	3028	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	diskperf.exe
PID 1428 wrote to memory of 1732	1428	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	explorer.exe
PID 1428 wrote to memory of 1732	1428	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	explorer.exe
PID 1428 wrote to memory of 1732	1428	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	explorer.exe
PID 1428 wrote to memory of 1732	1428	12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe	explorer.exe
PID 1732 wrote to memory of 2396	1732	explorer.exe	cmd.exe
PID 1732 wrote to memory of 2396	1732	explorer.exe	cmd.exe
PID 1732 wrote to memory of 2396	1732	explorer.exe	cmd.exe
PID 1732 wrote to memory of 2396	1732	explorer.exe	cmd.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe
PID 1732 wrote to memory of 1648	1732	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2968

C:\Users\Admin\AppData\Local\Temp\12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\12279cdfdf4e0189a5271b7e677be9d0_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2396

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1648

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
PID:1956

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2360

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2388

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2796

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2760

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1504

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1960

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2748

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1256

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2904

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2772

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1596

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2660

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2928

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2776

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
12279cdfdf4e0189a5271b7e677be9d0

SHA1
0b934ab2f56675a6d8f78783e2c943a564242ac5

SHA256
3560e9c2d2d895c2a735388abcd3085ee268f80af275a3427948545dc2ead0b1

SHA512
28defab9fd6ecf384683b7468850bf3f52a20abcd3a7cd636dc483292989ec677679fefb2390ce66538f12556d6176e21ee34497b65e3edc6bf5cad8c8441e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
990dcd27a8a82bf0ca51b21b0e2b6f1e

SHA1
094ccc1986de94c3943c219b03b1ca856be1a349

SHA256
b8948d6be4f47f42a428d91c0847a0f7128466f2d0fe30299fbe18675418598f

SHA512
1af335a3752ffc935b346e7c58226d08b8639f6a1539660fdb9a81c72bab006630b0a8cfc91142526bf96ecaa1a9fc08b00c23f4f65c02167e6171d00b24d5c3

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.9MB

MD5
463a6af1ebd71fc9b1385d5fa8e04979

SHA1
e7e21d196eb37c381eae47f5ca9eb298c7f39fe8

SHA256
34aaa6707c5fd4d899ebec1fdc35213e32b596aef5da43f26c0d6ab466109036

SHA512
8e81d0a7fc641cd0526027819ee245d8125252e20f777c89b8bda286a45e8ab3f6fd664b53910c7954ead32ff157ad9bb352a9eaa48cbd7742bc8fe5fa4077ab

Download Submit
memory/356-541-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/356-2082-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/588-1423-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1240-1473-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1280-243-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1280-1643-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1428-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-147-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1648-181-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1652-1375-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1692-343-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1692-1831-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1708-595-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1708-2195-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1776-1326-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1976-889-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2056-489-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2056-2054-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2148-1032-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2184-840-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2428-1275-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2476-2346-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2476-699-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2504-1129-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2540-2486-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2540-795-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2656-393-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2656-1855-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2668-84-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2912-1972-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2912-440-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2960-292-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2960-1716-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2968-1225-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2976-748-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2976-2374-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3000-2220-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3000-646-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3028-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-50-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/3028-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3028-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/3028-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3028-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-85-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3028-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3028-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3028-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-32-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3028-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3028-52-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3028-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download