warzonerat | 196dbd3ca2711f44cf460daa54cbb05b6256f3a7cb2e55e3724123407f7706fe

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
Size

2.9MB
MD5

12d0de2a14a4b41d5f2d74ecf1c04315
SHA1

1b92306a37930364e02901632c58de90b0bcc231
SHA256

196dbd3ca2711f44cf460daa54cbb05b6256f3a7cb2e55e3724123407f7706fe
SHA512

2c9e8f8d8b55afc0bad8e1f561568e802efd167d28f2b698087ab01c268d0d0388ef027d78d1a38a94267636c567732b116bf35720e9c14df48579e1162dac56
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHZ:3Ty7A3mw4gxeOw46fUbNecCCFbNec4

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 34 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

pid	process
1636	explorer.exe
1952	explorer.exe
356	explorer.exe
1032	spoolsv.exe
1840	spoolsv.exe
2896	spoolsv.exe
1720	spoolsv.exe
2824	spoolsv.exe
3060	spoolsv.exe
2572	spoolsv.exe
2804	spoolsv.exe
1532	spoolsv.exe
2520	spoolsv.exe
3000	spoolsv.exe
772	spoolsv.exe
412	spoolsv.exe
840	spoolsv.exe
1320	spoolsv.exe
2384	spoolsv.exe
2596	spoolsv.exe
2644	spoolsv.exe
2568	spoolsv.exe
2504	spoolsv.exe
2440	spoolsv.exe
1548	spoolsv.exe
2992	spoolsv.exe
1724	spoolsv.exe
2948	spoolsv.exe
1804	spoolsv.exe
1608	spoolsv.exe
1612	spoolsv.exe
2372	spoolsv.exe
2136	spoolsv.exe
2556	spoolsv.exe
1776	spoolsv.exe
844	spoolsv.exe
2960	spoolsv.exe
1236	spoolsv.exe
1304	spoolsv.exe
1136	spoolsv.exe
2608	spoolsv.exe
2132	spoolsv.exe
1252	spoolsv.exe
384	spoolsv.exe
2704	spoolsv.exe
2800	spoolsv.exe
1968	spoolsv.exe
1028	spoolsv.exe
2936	spoolsv.exe
2744	spoolsv.exe
324	spoolsv.exe
2400	spoolsv.exe
572	spoolsv.exe
2512	spoolsv.exe
688	spoolsv.exe
2656	spoolsv.exe
2720	spoolsv.exe
3024	spoolsv.exe
2012	spoolsv.exe
2472	spoolsv.exe
1572	spoolsv.exe
336	spoolsv.exe
3036	explorer.exe
1924	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3004	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
3004	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
356	explorer.exe
356	explorer.exe
1032	spoolsv.exe
356	explorer.exe
356	explorer.exe
2896	spoolsv.exe
356	explorer.exe
356	explorer.exe
2824	spoolsv.exe
356	explorer.exe
356	explorer.exe
2572	spoolsv.exe
356	explorer.exe
356	explorer.exe
1532	spoolsv.exe
356	explorer.exe
356	explorer.exe
3000	spoolsv.exe
356	explorer.exe
356	explorer.exe
412	spoolsv.exe
356	explorer.exe
356	explorer.exe
1320	spoolsv.exe
356	explorer.exe
356	explorer.exe
2596	spoolsv.exe
356	explorer.exe
356	explorer.exe
2568	spoolsv.exe
356	explorer.exe
356	explorer.exe
2440	spoolsv.exe
356	explorer.exe
356	explorer.exe
2992	spoolsv.exe
356	explorer.exe
356	explorer.exe
2948	spoolsv.exe
356	explorer.exe
356	explorer.exe
1608	spoolsv.exe
356	explorer.exe
356	explorer.exe
2372	spoolsv.exe
356	explorer.exe
356	explorer.exe
2556	spoolsv.exe
356	explorer.exe
356	explorer.exe
844	spoolsv.exe
356	explorer.exe
356	explorer.exe
1236	spoolsv.exe
356	explorer.exe
356	explorer.exe
1136	spoolsv.exe
356	explorer.exe
356	explorer.exe
2132	spoolsv.exe
356	explorer.exe
356	explorer.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exe12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2416 set thread context of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 set thread context of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 set thread context of 2820	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	diskperf.exe
PID 1636 set thread context of 1952	1636	explorer.exe	explorer.exe
PID 1952 set thread context of 356	1952	explorer.exe	explorer.exe
PID 1952 set thread context of 2096	1952	explorer.exe	diskperf.exe
PID 1032 set thread context of 1840	1032	spoolsv.exe	spoolsv.exe
PID 2896 set thread context of 1720	2896	spoolsv.exe	spoolsv.exe
PID 2824 set thread context of 3060	2824	spoolsv.exe	spoolsv.exe
PID 2572 set thread context of 2804	2572	spoolsv.exe	spoolsv.exe
PID 1532 set thread context of 2520	1532	spoolsv.exe	spoolsv.exe
PID 3000 set thread context of 772	3000	spoolsv.exe	spoolsv.exe
PID 412 set thread context of 840	412	spoolsv.exe	spoolsv.exe
PID 1320 set thread context of 2384	1320	spoolsv.exe	spoolsv.exe
PID 2596 set thread context of 2644	2596	spoolsv.exe	spoolsv.exe
PID 2568 set thread context of 2504	2568	spoolsv.exe	spoolsv.exe
PID 2440 set thread context of 1548	2440	spoolsv.exe	spoolsv.exe
PID 2992 set thread context of 1724	2992	spoolsv.exe	spoolsv.exe
PID 2948 set thread context of 1804	2948	spoolsv.exe	spoolsv.exe
PID 1608 set thread context of 1612	1608	spoolsv.exe	spoolsv.exe
PID 2372 set thread context of 2136	2372	spoolsv.exe	spoolsv.exe
PID 2556 set thread context of 1776	2556	spoolsv.exe	spoolsv.exe
PID 844 set thread context of 2960	844	spoolsv.exe	spoolsv.exe
PID 1236 set thread context of 1304	1236	spoolsv.exe	spoolsv.exe
PID 1136 set thread context of 2608	1136	spoolsv.exe	spoolsv.exe
PID 2132 set thread context of 1252	2132	spoolsv.exe	spoolsv.exe
PID 384 set thread context of 2704	384	spoolsv.exe	spoolsv.exe
PID 2800 set thread context of 1968	2800	spoolsv.exe	spoolsv.exe
PID 1028 set thread context of 2936	1028	spoolsv.exe	spoolsv.exe
PID 2744 set thread context of 324	2744	spoolsv.exe	spoolsv.exe
PID 2400 set thread context of 572	2400	spoolsv.exe	spoolsv.exe
PID 2512 set thread context of 688	2512	spoolsv.exe	spoolsv.exe
PID 2656 set thread context of 2720	2656	spoolsv.exe	spoolsv.exe
PID 3024 set thread context of 2012	3024	spoolsv.exe	spoolsv.exe
PID 2472 set thread context of 1572	2472	spoolsv.exe	spoolsv.exe
PID 1840 set thread context of 336	1840	spoolsv.exe	spoolsv.exe
PID 1840 set thread context of 1792	1840	spoolsv.exe	diskperf.exe
PID 1720 set thread context of 672	1720	spoolsv.exe	spoolsv.exe
PID 1720 set thread context of 480	1720	spoolsv.exe	diskperf.exe
PID 1924 set thread context of 2396	1924	spoolsv.exe	spoolsv.exe
PID 2340 set thread context of 1800	2340	spoolsv.exe	spoolsv.exe
PID 3060 set thread context of 1980	3060	spoolsv.exe	spoolsv.exe
PID 3060 set thread context of 1016	3060	spoolsv.exe	diskperf.exe
PID 2016 set thread context of 2060	2016	spoolsv.exe	spoolsv.exe
PID 2804 set thread context of 2604	2804	spoolsv.exe	spoolsv.exe
PID 2804 set thread context of 2480	2804	spoolsv.exe	diskperf.exe
PID 2520 set thread context of 1640	2520	spoolsv.exe	spoolsv.exe
PID 864 set thread context of 2364	864	spoolsv.exe	spoolsv.exe
PID 2520 set thread context of 1432	2520	spoolsv.exe	diskperf.exe
PID 772 set thread context of 284	772	spoolsv.exe	spoolsv.exe
PID 772 set thread context of 2840	772	spoolsv.exe	diskperf.exe
PID 2292 set thread context of 640	2292	spoolsv.exe	spoolsv.exe
PID 840 set thread context of 812	840	spoolsv.exe	spoolsv.exe
PID 840 set thread context of 2200	840	spoolsv.exe	diskperf.exe
PID 948 set thread context of 1600	948	spoolsv.exe	spoolsv.exe
PID 2384 set thread context of 2620	2384	spoolsv.exe	spoolsv.exe
PID 2384 set thread context of 1756	2384	spoolsv.exe	diskperf.exe
PID 2648 set thread context of 1944	2648	spoolsv.exe	spoolsv.exe
PID 2644 set thread context of 2636	2644	spoolsv.exe	spoolsv.exe
PID 2644 set thread context of 2516	2644	spoolsv.exe	diskperf.exe
PID 2768 set thread context of 2796	2768	spoolsv.exe	spoolsv.exe
PID 2504 set thread context of 1512	2504	spoolsv.exe	spoolsv.exe
PID 2504 set thread context of 1136	2504	spoolsv.exe	diskperf.exe
PID 2748 set thread context of 2592	2748	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 45 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2140 3036 WerFault.exe explorer.exe

pid	pid_target	process	target process
2140	3036	WerFault.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
3004	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
1636	explorer.exe
1032	spoolsv.exe
356	explorer.exe
356	explorer.exe
2896	spoolsv.exe
356	explorer.exe
2824	spoolsv.exe
356	explorer.exe
2572	spoolsv.exe
356	explorer.exe
1532	spoolsv.exe
356	explorer.exe
3000	spoolsv.exe
356	explorer.exe
412	spoolsv.exe
356	explorer.exe
1320	spoolsv.exe
356	explorer.exe
2596	spoolsv.exe
356	explorer.exe
2568	spoolsv.exe
356	explorer.exe
2440	spoolsv.exe
356	explorer.exe
2992	spoolsv.exe
356	explorer.exe
2948	spoolsv.exe
356	explorer.exe
1608	spoolsv.exe
356	explorer.exe
2372	spoolsv.exe
356	explorer.exe
2556	spoolsv.exe
356	explorer.exe
844	spoolsv.exe
356	explorer.exe
1236	spoolsv.exe
356	explorer.exe
1136	spoolsv.exe
356	explorer.exe
2132	spoolsv.exe
356	explorer.exe
384	spoolsv.exe
356	explorer.exe
2800	spoolsv.exe
356	explorer.exe
1028	spoolsv.exe
356	explorer.exe
2744	spoolsv.exe
356	explorer.exe
2400	spoolsv.exe
356	explorer.exe
2512	spoolsv.exe
356	explorer.exe
2656	spoolsv.exe
356	explorer.exe
3024	spoolsv.exe
356	explorer.exe
2472	spoolsv.exe
356	explorer.exe
1924	spoolsv.exe
356	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
3004	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
3004	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
1636	explorer.exe
1636	explorer.exe
356	explorer.exe
356	explorer.exe
1032	spoolsv.exe
1032	spoolsv.exe
356	explorer.exe
356	explorer.exe
2896	spoolsv.exe
2896	spoolsv.exe
2824	spoolsv.exe
2824	spoolsv.exe
2572	spoolsv.exe
2572	spoolsv.exe
1532	spoolsv.exe
1532	spoolsv.exe
3000	spoolsv.exe
3000	spoolsv.exe
412	spoolsv.exe
412	spoolsv.exe
1320	spoolsv.exe
1320	spoolsv.exe
2596	spoolsv.exe
2596	spoolsv.exe
2568	spoolsv.exe
2568	spoolsv.exe
2440	spoolsv.exe
2440	spoolsv.exe
2992	spoolsv.exe
2992	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
1608	spoolsv.exe
1608	spoolsv.exe
2372	spoolsv.exe
2372	spoolsv.exe
2556	spoolsv.exe
2556	spoolsv.exe
844	spoolsv.exe
844	spoolsv.exe
1236	spoolsv.exe
1236	spoolsv.exe
1136	spoolsv.exe
1136	spoolsv.exe
2132	spoolsv.exe
2132	spoolsv.exe
384	spoolsv.exe
384	spoolsv.exe
2800	spoolsv.exe
2800	spoolsv.exe
1028	spoolsv.exe
1028	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2400	spoolsv.exe
2400	spoolsv.exe
2512	spoolsv.exe
2512	spoolsv.exe
2656	spoolsv.exe
2656	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2416 wrote to memory of 2632	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2632	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2632	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2632	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2416 wrote to memory of 2216	2416	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 3004	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
PID 2216 wrote to memory of 2820	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	diskperf.exe
PID 2216 wrote to memory of 2820	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	diskperf.exe
PID 2216 wrote to memory of 2820	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	diskperf.exe
PID 2216 wrote to memory of 2820	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	diskperf.exe
PID 2216 wrote to memory of 2820	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	diskperf.exe
PID 2216 wrote to memory of 2820	2216	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	diskperf.exe
PID 3004 wrote to memory of 1636	3004	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	explorer.exe
PID 3004 wrote to memory of 1636	3004	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	explorer.exe
PID 3004 wrote to memory of 1636	3004	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	explorer.exe
PID 3004 wrote to memory of 1636	3004	12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe	explorer.exe
PID 1636 wrote to memory of 2628	1636	explorer.exe	cmd.exe
PID 1636 wrote to memory of 2628	1636	explorer.exe	cmd.exe
PID 1636 wrote to memory of 2628	1636	explorer.exe	cmd.exe
PID 1636 wrote to memory of 2628	1636	explorer.exe	cmd.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe
PID 1636 wrote to memory of 1952	1636	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2632

C:\Users\Admin\AppData\Local\Temp\12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\12d0de2a14a4b41d5f2d74ecf1c04315_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2628

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1952

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
PID:336

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Executes dropped EXE
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 216
11⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1512

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1316

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2560

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2588

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
12d0de2a14a4b41d5f2d74ecf1c04315

SHA1
1b92306a37930364e02901632c58de90b0bcc231

SHA256
196dbd3ca2711f44cf460daa54cbb05b6256f3a7cb2e55e3724123407f7706fe

SHA512
2c9e8f8d8b55afc0bad8e1f561568e802efd167d28f2b698087ab01c268d0d0388ef027d78d1a38a94267636c567732b116bf35720e9c14df48579e1162dac56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
\Windows\system\explorer.exe

Filesize
2.9MB

MD5
f581c617ffb18bda4db0f0ac0ae72558

SHA1
fd39a763962df2d0c0ae988a24cfea4fccbdb5bf

SHA256
006a2683562bf41c5913977b5c962394eead55949c9b30bdc60ad68de1f60760

SHA512
85172e5877b677384846ade274f582ba4c480150e9f074c9e91161cdcbb97ac072f56fa995a59448b6e495b71260b9869e9eb60d57cf7e4edacb3bcc44917024

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
e628d47a95b1e73518f2ef2cd28c6659

SHA1
4a9b08c1035da8d39e4b141494cc022c9adf7989

SHA256
9a78c4f2d7910179c91fa3cfb4ec7c34cf28a80e89c5725d2a863357d255f675

SHA512
48492c160d420c8302e97b05f7c965d03e665c855f2d31cf0b0306fa6328ba782030385ae1d6d80abce340bc09b47d52d08603bd65367cdcc106f5f69d6c6c6b

Download Submit
memory/356-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-1959-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/772-494-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/840-2029-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/840-547-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1252-1179-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1304-1084-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1548-749-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1548-2372-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1612-893-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1720-298-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1720-1671-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1724-797-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1724-2459-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1776-989-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1804-844-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1840-1643-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1840-243-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1952-145-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1952-184-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1968-1280-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2216-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2216-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2216-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-34-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-86-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2216-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2216-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2216-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2216-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-50-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2216-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2216-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2216-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2216-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2384-598-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2384-2107-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2504-2302-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2504-701-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2520-1930-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2608-1131-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2644-649-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2644-2180-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2704-1231-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2804-1862-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2804-391-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2820-85-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2820-151-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3004-83-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-82-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-1791-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download