warzonerat | ed93c819de29457558bc5fc25512afaf62c9113cb2bbe14a5eb55ae947136b1b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

153681893609807553891d7a33a81ee5_JaffaCakes118.exe
Size

2.7MB
MD5

153681893609807553891d7a33a81ee5
SHA1

c20eb7d70fee448c7a0cca6c7f78214d757f8dd5
SHA256

ed93c819de29457558bc5fc25512afaf62c9113cb2bbe14a5eb55ae947136b1b
SHA512

3c52228fdd34675b49c954ebad6eff3ac39273e9762205f0d08a6dbaee80e2fc2b80c7e0c7eca2447c708850a15dd4fd82d657f75403f72bef5d50ecf3635455
SSDEEP

24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH819:fF6mw4gxeOw46fUbNecCCFbNec7

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 35 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1944	explorer.exe
1760	explorer.exe
1636	explorer.exe
1984	spoolsv.exe
240	spoolsv.exe
1704	spoolsv.exe
904	spoolsv.exe
2908	spoolsv.exe
2720	spoolsv.exe
2764	spoolsv.exe
2740	spoolsv.exe
2072	spoolsv.exe
1320	spoolsv.exe
764	spoolsv.exe
576	spoolsv.exe
1616	spoolsv.exe
1360	spoolsv.exe
2408	spoolsv.exe
2844	spoolsv.exe
2520	spoolsv.exe
2692	spoolsv.exe
308	spoolsv.exe
556	spoolsv.exe
2284	spoolsv.exe
392	spoolsv.exe
2296	spoolsv.exe
1484	spoolsv.exe
2172	spoolsv.exe
1840	spoolsv.exe
1508	spoolsv.exe
2096	spoolsv.exe
2580	spoolsv.exe
3004	spoolsv.exe
2500	spoolsv.exe
1744	spoolsv.exe
1708	spoolsv.exe
1868	spoolsv.exe
2236	spoolsv.exe
2864	spoolsv.exe
1356	spoolsv.exe
788	spoolsv.exe
1380	spoolsv.exe
2264	spoolsv.exe
1724	spoolsv.exe
2732	spoolsv.exe
2728	spoolsv.exe
2756	spoolsv.exe
1304	spoolsv.exe
1608	spoolsv.exe
2308	spoolsv.exe
2760	spoolsv.exe
1492	spoolsv.exe
352	spoolsv.exe
2108	spoolsv.exe
2328	spoolsv.exe
2548	spoolsv.exe
2564	spoolsv.exe
2628	spoolsv.exe
2572	spoolsv.exe
2820	spoolsv.exe
2904	spoolsv.exe
332	spoolsv.exe
1768	spoolsv.exe
1332	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

153681893609807553891d7a33a81ee5_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1960	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
1960	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
1636	explorer.exe
1636	explorer.exe
1984	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1704	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2908	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2764	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2072	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
764	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1616	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2408	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2520	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
308	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2284	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2296	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2172	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1508	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2580	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2500	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1708	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
2236	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1356	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1380	spoolsv.exe
1636	explorer.exe
1636	explorer.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2364-44-0x0000000000400000-0x0000000000445000-memory.dmp	upx
C:\Windows\system\explorer.exe	upx
behavioral1/memory/1944-104-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1960-96-0x0000000003280000-0x00000000032C5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	upx
\Windows\system\spoolsv.exe	upx
behavioral1/memory/1704-256-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1984-244-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2908-310-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2764-379-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2072-418-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/764-474-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1616-530-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1636-581-0x0000000002670000-0x00000000026B5000-memory.dmp	upx
behavioral1/memory/2408-589-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1636-645-0x0000000002670000-0x00000000026B5000-memory.dmp	upx
behavioral1/memory/2520-648-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/308-706-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2284-779-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1636-1240-0x0000000002670000-0x00000000026B5000-memory.dmp	upx
behavioral1/memory/1636-2177-0x0000000002670000-0x00000000026B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe153681893609807553891d7a33a81ee5_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

153681893609807553891d7a33a81ee5_JaffaCakes118.exe153681893609807553891d7a33a81ee5_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2364 set thread context of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 set thread context of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 set thread context of 2556	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	diskperf.exe
PID 1944 set thread context of 1760	1944	explorer.exe	explorer.exe
PID 1760 set thread context of 1636	1760	explorer.exe	explorer.exe
PID 1760 set thread context of 1644	1760	explorer.exe	diskperf.exe
PID 1984 set thread context of 240	1984	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 904	1704	spoolsv.exe	spoolsv.exe
PID 2908 set thread context of 2720	2908	spoolsv.exe	spoolsv.exe
PID 2764 set thread context of 2740	2764	spoolsv.exe	spoolsv.exe
PID 2072 set thread context of 1320	2072	spoolsv.exe	spoolsv.exe
PID 764 set thread context of 576	764	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 1360	1616	spoolsv.exe	spoolsv.exe
PID 2408 set thread context of 2844	2408	spoolsv.exe	spoolsv.exe
PID 2520 set thread context of 2692	2520	spoolsv.exe	spoolsv.exe
PID 308 set thread context of 556	308	spoolsv.exe	spoolsv.exe
PID 2284 set thread context of 392	2284	spoolsv.exe	spoolsv.exe
PID 2296 set thread context of 1484	2296	spoolsv.exe	spoolsv.exe
PID 2172 set thread context of 1840	2172	spoolsv.exe	spoolsv.exe
PID 1508 set thread context of 2096	1508	spoolsv.exe	spoolsv.exe
PID 2580 set thread context of 3004	2580	spoolsv.exe	spoolsv.exe
PID 2500 set thread context of 1744	2500	spoolsv.exe	spoolsv.exe
PID 1708 set thread context of 1868	1708	spoolsv.exe	spoolsv.exe
PID 2236 set thread context of 2864	2236	spoolsv.exe	spoolsv.exe
PID 1356 set thread context of 788	1356	spoolsv.exe	spoolsv.exe
PID 1380 set thread context of 2264	1380	spoolsv.exe	spoolsv.exe
PID 1724 set thread context of 2732	1724	spoolsv.exe	spoolsv.exe
PID 2728 set thread context of 2756	2728	spoolsv.exe	spoolsv.exe
PID 1304 set thread context of 1608	1304	spoolsv.exe	spoolsv.exe
PID 2308 set thread context of 2760	2308	spoolsv.exe	spoolsv.exe
PID 1492 set thread context of 352	1492	spoolsv.exe	spoolsv.exe
PID 2108 set thread context of 2328	2108	spoolsv.exe	spoolsv.exe
PID 2548 set thread context of 2564	2548	spoolsv.exe	spoolsv.exe
PID 2628 set thread context of 2572	2628	spoolsv.exe	spoolsv.exe
PID 2820 set thread context of 2904	2820	spoolsv.exe	spoolsv.exe
PID 332 set thread context of 1768	332	spoolsv.exe	spoolsv.exe
PID 240 set thread context of 1332	240	spoolsv.exe	spoolsv.exe
PID 240 set thread context of 2200	240	spoolsv.exe	diskperf.exe
PID 904 set thread context of 1032	904	spoolsv.exe	spoolsv.exe
PID 904 set thread context of 2108	904	spoolsv.exe	diskperf.exe
PID 1984 set thread context of 2164	1984	spoolsv.exe	spoolsv.exe
PID 840 set thread context of 2656	840	explorer.exe	explorer.exe
PID 2720 set thread context of 2464	2720	spoolsv.exe	spoolsv.exe
PID 2720 set thread context of 1632	2720	spoolsv.exe	diskperf.exe
PID 2740 set thread context of 1708	2740	spoolsv.exe	spoolsv.exe
PID 3060 set thread context of 2484	3060	spoolsv.exe	spoolsv.exe
PID 2740 set thread context of 1956	2740	spoolsv.exe	diskperf.exe
PID 1320 set thread context of 2220	1320	spoolsv.exe	spoolsv.exe
PID 1320 set thread context of 1776	1320	spoolsv.exe	diskperf.exe
PID 2676 set thread context of 584	2676	explorer.exe	explorer.exe
PID 2240 set thread context of 3016	2240	spoolsv.exe	spoolsv.exe
PID 576 set thread context of 2752	576	spoolsv.exe	spoolsv.exe
PID 576 set thread context of 2160	576	spoolsv.exe	diskperf.exe
PID 2772 set thread context of 1812	2772	spoolsv.exe	spoolsv.exe
PID 2696 set thread context of 2400	2696	explorer.exe	explorer.exe
PID 1360 set thread context of 2088	1360	spoolsv.exe	spoolsv.exe
PID 1360 set thread context of 1492	1360	spoolsv.exe	diskperf.exe
PID 2844 set thread context of 940	2844	spoolsv.exe	spoolsv.exe
PID 1900 set thread context of 2748	1900	spoolsv.exe	spoolsv.exe
PID 2844 set thread context of 1172	2844	spoolsv.exe	diskperf.exe
PID 2992 set thread context of 2808	2992	explorer.exe	explorer.exe
PID 1032 set thread context of 1952	1032	spoolsv.exe	spoolsv.exe
PID 2692 set thread context of 2856	2692	spoolsv.exe	spoolsv.exe
PID 2692 set thread context of 2532	2692	spoolsv.exe	diskperf.exe

Drops file in Windows directory 49 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exe153681893609807553891d7a33a81ee5_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

153681893609807553891d7a33a81ee5_JaffaCakes118.exe153681893609807553891d7a33a81ee5_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
1960	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
1944	explorer.exe
1984	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1704	spoolsv.exe
1636	explorer.exe
2908	spoolsv.exe
1636	explorer.exe
2764	spoolsv.exe
1636	explorer.exe
2072	spoolsv.exe
1636	explorer.exe
764	spoolsv.exe
1636	explorer.exe
1616	spoolsv.exe
1636	explorer.exe
2408	spoolsv.exe
1636	explorer.exe
2520	spoolsv.exe
1636	explorer.exe
308	spoolsv.exe
1636	explorer.exe
2284	spoolsv.exe
1636	explorer.exe
2296	spoolsv.exe
1636	explorer.exe
2172	spoolsv.exe
1636	explorer.exe
1508	spoolsv.exe
1636	explorer.exe
2580	spoolsv.exe
1636	explorer.exe
2500	spoolsv.exe
1636	explorer.exe
1708	spoolsv.exe
1636	explorer.exe
2236	spoolsv.exe
1636	explorer.exe
1356	spoolsv.exe
1636	explorer.exe
1380	spoolsv.exe
1636	explorer.exe
1724	spoolsv.exe
1636	explorer.exe
2728	spoolsv.exe
1636	explorer.exe
1304	spoolsv.exe
1636	explorer.exe
2308	spoolsv.exe
1636	explorer.exe
1492	spoolsv.exe
1636	explorer.exe
2108	spoolsv.exe
1636	explorer.exe
2548	spoolsv.exe
1636	explorer.exe
2628	spoolsv.exe
1636	explorer.exe
2820	spoolsv.exe
1636	explorer.exe
332	spoolsv.exe
1636	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
1960	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
1960	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
1944	explorer.exe
1944	explorer.exe
1636	explorer.exe
1636	explorer.exe
1984	spoolsv.exe
1984	spoolsv.exe
1636	explorer.exe
1636	explorer.exe
1704	spoolsv.exe
1704	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2764	spoolsv.exe
2764	spoolsv.exe
2072	spoolsv.exe
2072	spoolsv.exe
764	spoolsv.exe
764	spoolsv.exe
1616	spoolsv.exe
1616	spoolsv.exe
2408	spoolsv.exe
2408	spoolsv.exe
2520	spoolsv.exe
2520	spoolsv.exe
308	spoolsv.exe
308	spoolsv.exe
2284	spoolsv.exe
2284	spoolsv.exe
2296	spoolsv.exe
2296	spoolsv.exe
2172	spoolsv.exe
2172	spoolsv.exe
1508	spoolsv.exe
1508	spoolsv.exe
2580	spoolsv.exe
2580	spoolsv.exe
2500	spoolsv.exe
2500	spoolsv.exe
1708	spoolsv.exe
1708	spoolsv.exe
2236	spoolsv.exe
2236	spoolsv.exe
1356	spoolsv.exe
1356	spoolsv.exe
1380	spoolsv.exe
1380	spoolsv.exe
1724	spoolsv.exe
1724	spoolsv.exe
2728	spoolsv.exe
2728	spoolsv.exe
1304	spoolsv.exe
1304	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
1492	spoolsv.exe
1492	spoolsv.exe
2108	spoolsv.exe
2108	spoolsv.exe
2548	spoolsv.exe
2548	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

153681893609807553891d7a33a81ee5_JaffaCakes118.exe153681893609807553891d7a33a81ee5_JaffaCakes118.exe153681893609807553891d7a33a81ee5_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2364 wrote to memory of 1656	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	cmd.exe
PID 2364 wrote to memory of 1656	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	cmd.exe
PID 2364 wrote to memory of 1656	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	cmd.exe
PID 2364 wrote to memory of 1656	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	cmd.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2364 wrote to memory of 2184	2364	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 1960	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	153681893609807553891d7a33a81ee5_JaffaCakes118.exe
PID 2184 wrote to memory of 2556	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	diskperf.exe
PID 2184 wrote to memory of 2556	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	diskperf.exe
PID 2184 wrote to memory of 2556	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	diskperf.exe
PID 2184 wrote to memory of 2556	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	diskperf.exe
PID 2184 wrote to memory of 2556	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	diskperf.exe
PID 2184 wrote to memory of 2556	2184	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	diskperf.exe
PID 1960 wrote to memory of 1944	1960	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	explorer.exe
PID 1960 wrote to memory of 1944	1960	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	explorer.exe
PID 1960 wrote to memory of 1944	1960	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	explorer.exe
PID 1960 wrote to memory of 1944	1960	153681893609807553891d7a33a81ee5_JaffaCakes118.exe	explorer.exe
PID 1944 wrote to memory of 1972	1944	explorer.exe	cmd.exe
PID 1944 wrote to memory of 1972	1944	explorer.exe	cmd.exe
PID 1944 wrote to memory of 1972	1944	explorer.exe	cmd.exe
PID 1944 wrote to memory of 1972	1944	explorer.exe	cmd.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe
PID 1944 wrote to memory of 1760	1944	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\153681893609807553891d7a33a81ee5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\153681893609807553891d7a33a81ee5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\153681893609807553891d7a33a81ee5_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1656

C:\Users\Admin\AppData\Local\Temp\153681893609807553891d7a33a81ee5_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\153681893609807553891d7a33a81ee5_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\153681893609807553891d7a33a81ee5_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\153681893609807553891d7a33a81ee5_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:1972

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1760

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
PID:1332

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1640

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1708

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:332

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2220

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2752

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2608

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:940

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1756

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2856

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2008

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:308

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2240

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1272

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.7MB

MD5
153681893609807553891d7a33a81ee5

SHA1
c20eb7d70fee448c7a0cca6c7f78214d757f8dd5

SHA256
ed93c819de29457558bc5fc25512afaf62c9113cb2bbe14a5eb55ae947136b1b

SHA512
3c52228fdd34675b49c954ebad6eff3ac39273e9762205f0d08a6dbaee80e2fc2b80c7e0c7eca2447c708850a15dd4fd82d657f75403f72bef5d50ecf3635455

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.7MB

MD5
4fedf1e1d3a9a24f26e1c17c8ef7bed7

SHA1
29abd033dfbbe6a0b9c1b1b34e01f5000053a178

SHA256
4d2f4a3942e36c9b0087e0ba7634601182692076fd29fc36653c612a296515ea

SHA512
84d9e6556bafea07d5d97b0f36df8104075bde6227632057eae0eba8efafa401b17d2d93efab798771a1c1138f299c06ca0c9205873dec9e6ac1237431aec2fe

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.7MB

MD5
c2020a947a734ffa7e0b8a8917e3ac62

SHA1
101bed886fb237c40843a0ef54ab7bb3e15c212e

SHA256
c5ed4f0775d6490958ec5646fe8c8ad55d6ab494f97643f0367cfd00623a0522

SHA512
985371124056eef8c290171e3b41a00292bd9c762fb2e306387b8f704e6a14a4be98678a3b6ba132dac9bec082522cf0bd2a15385ac5154ffeff2596da6001ec

Download Submit
memory/240-1748-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/240-252-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/308-706-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/392-2626-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/392-804-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/556-2459-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/556-756-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/576-2123-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/576-522-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/764-474-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/904-309-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/904-1785-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1320-466-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1320-2012-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1360-583-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1360-2247-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1616-530-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1616-552-0x00000000003A0000-0x00000000003E5000-memory.dmp

Filesize
276KB

Download
memory/1636-807-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-755-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-582-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-646-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-581-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-587-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-636-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-635-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-699-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-529-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-494-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-705-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-704-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-645-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-472-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-471-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-415-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-416-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-778-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-362-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-308-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-808-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-806-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-1241-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-1240-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1636-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-2177-0x0000000002670000-0x00000000026B5000-memory.dmp

Filesize
276KB

Download
memory/1704-258-0x0000000000390000-0x00000000003D5000-memory.dmp

Filesize
276KB

Download
memory/1704-256-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1760-186-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1760-156-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1944-104-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1960-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-96-0x0000000003280000-0x00000000032C5000-memory.dmp

Filesize
276KB

Download
memory/1960-103-0x0000000003280000-0x00000000032C5000-memory.dmp

Filesize
276KB

Download
memory/1960-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-244-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2072-418-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2184-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-51-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-2-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2184-91-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2184-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-73-0x0000000007180000-0x00000000071C5000-memory.dmp

Filesize
276KB

Download
memory/2184-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-38-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2184-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-54-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2184-50-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2184-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2184-45-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2184-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-39-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2184-49-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-52-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2184-53-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2284-779-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2364-44-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2364-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2408-589-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2520-651-0x0000000001D40000-0x0000000001D85000-memory.dmp

Filesize
276KB

Download
memory/2520-648-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2556-89-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2692-703-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2692-2434-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2720-1889-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2720-361-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2740-1973-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2740-412-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2764-379-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2844-2317-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2844-640-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2908-310-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2908-316-0x0000000001CF0000-0x0000000001D35000-memory.dmp

Filesize
276KB

Download