warzonerat | ef852e8e54efe51c2c490e4d04960d3eea67de8f03387e6a51c36cb47b8cd45a

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
Size

2.7MB
MD5

1c8fcfc8d779cb710f0f968d82b9342e
SHA1

b3bf6dd4094ea6127f6d8058aee3bd1d6b9d9872
SHA256

ef852e8e54efe51c2c490e4d04960d3eea67de8f03387e6a51c36cb47b8cd45a
SHA512

631b453a30cd9617e5635e48be4c877a678910f2636c359cc7c022ef2551cff750da1a20d584b1a3ca3d9a51b672b24d9244cf33356ec8d3c6790581acfa70a2
SSDEEP

24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH81w:fF6mw4gxeOw46fUbNecCCFbNecG

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 31 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4384	explorer.exe
384	explorer.exe
2500	explorer.exe
4904	spoolsv.exe
1616	spoolsv.exe
3908	spoolsv.exe
8	spoolsv.exe
1040	spoolsv.exe
2416	spoolsv.exe
2780	spoolsv.exe
3448	spoolsv.exe
2552	spoolsv.exe
1752	spoolsv.exe
5088	spoolsv.exe
4120	spoolsv.exe
4660	spoolsv.exe
1516	spoolsv.exe
4596	spoolsv.exe
1660	spoolsv.exe
1328	spoolsv.exe
2560	spoolsv.exe
5096	spoolsv.exe
3420	spoolsv.exe
1864	spoolsv.exe
4652	spoolsv.exe
4780	spoolsv.exe
5008	spoolsv.exe
1952	spoolsv.exe
448	spoolsv.exe
2400	spoolsv.exe
1580	spoolsv.exe
3084	spoolsv.exe
3128	spoolsv.exe
2368	spoolsv.exe
2848	spoolsv.exe
3276	spoolsv.exe
3672	spoolsv.exe
2232	spoolsv.exe
1056	spoolsv.exe
4216	spoolsv.exe
4980	spoolsv.exe
2700	spoolsv.exe
4748	spoolsv.exe
2832	spoolsv.exe
800	spoolsv.exe
1984	spoolsv.exe
996	spoolsv.exe
4288	spoolsv.exe
4628	spoolsv.exe
3616	spoolsv.exe
2608	spoolsv.exe
1188	spoolsv.exe
1996	spoolsv.exe
4672	spoolsv.exe
712	spoolsv.exe
960	spoolsv.exe
4284	spoolsv.exe
3176	spoolsv.exe
1160	spoolsv.exe
1604	spoolsv.exe
2628	spoolsv.exe
4996	spoolsv.exe
1572	spoolsv.exe
2684	spoolsv.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4016-0-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4016-10-0x0000000000400000-0x0000000000445000-memory.dmp	upx
C:\Windows\System\explorer.exe	upx
behavioral2/memory/4384-40-0x0000000000400000-0x0000000000445000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	upx
behavioral2/memory/4904-81-0x0000000000400000-0x0000000000445000-memory.dmp	upx
\??\c:\windows\system\spoolsv.exe	upx
behavioral2/memory/3908-97-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1040-117-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2780-122-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2552-137-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2552-150-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/5088-153-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4660-167-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4660-179-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4596-182-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1328-196-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/5096-211-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1864-237-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4780-240-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1952-256-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2400-270-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3084-298-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2368-314-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3276-329-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2232-333-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4216-361-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2700-364-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2832-378-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1984-390-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4288-404-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3616-416-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1188-429-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4672-442-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/960-467-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3176-469-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1604-483-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2068-495-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1588-508-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4112-523-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4112-532-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3052-542-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe

Suspicious use of SetThreadContext 37 IoCs

Processes:

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 4016 set thread context of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 set thread context of 4072	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 set thread context of 4380	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 4384 set thread context of 384	4384	explorer.exe	explorer.exe
PID 384 set thread context of 2500	384	explorer.exe	explorer.exe
PID 384 set thread context of 3792	384	explorer.exe	diskperf.exe
PID 4904 set thread context of 1616	4904	spoolsv.exe	spoolsv.exe
PID 3908 set thread context of 8	3908	spoolsv.exe	spoolsv.exe
PID 1040 set thread context of 2416	1040	spoolsv.exe	spoolsv.exe
PID 2780 set thread context of 3448	2780	spoolsv.exe	spoolsv.exe
PID 2552 set thread context of 1752	2552	spoolsv.exe	spoolsv.exe
PID 5088 set thread context of 4120	5088	spoolsv.exe	spoolsv.exe
PID 4660 set thread context of 1516	4660	spoolsv.exe	spoolsv.exe
PID 4596 set thread context of 1660	4596	spoolsv.exe	spoolsv.exe
PID 1328 set thread context of 2560	1328	spoolsv.exe	spoolsv.exe
PID 5096 set thread context of 3420	5096	spoolsv.exe	spoolsv.exe
PID 1864 set thread context of 4652	1864	spoolsv.exe	spoolsv.exe
PID 4780 set thread context of 5008	4780	spoolsv.exe	spoolsv.exe
PID 1952 set thread context of 448	1952	spoolsv.exe	spoolsv.exe
PID 2400 set thread context of 1580	2400	spoolsv.exe	spoolsv.exe
PID 3084 set thread context of 3128	3084	spoolsv.exe	spoolsv.exe
PID 2368 set thread context of 2848	2368	spoolsv.exe	spoolsv.exe
PID 3276 set thread context of 3672	3276	spoolsv.exe	spoolsv.exe
PID 2232 set thread context of 1056	2232	spoolsv.exe	spoolsv.exe
PID 4216 set thread context of 4980	4216	spoolsv.exe	spoolsv.exe
PID 2700 set thread context of 4748	2700	spoolsv.exe	spoolsv.exe
PID 2832 set thread context of 800	2832	spoolsv.exe	spoolsv.exe
PID 1984 set thread context of 996	1984	spoolsv.exe	spoolsv.exe
PID 4288 set thread context of 4628	4288	spoolsv.exe	spoolsv.exe
PID 3616 set thread context of 2608	3616	spoolsv.exe	spoolsv.exe
PID 1188 set thread context of 1996	1188	spoolsv.exe	spoolsv.exe
PID 4672 set thread context of 712	4672	spoolsv.exe	spoolsv.exe
PID 960 set thread context of 4284	960	spoolsv.exe	spoolsv.exe
PID 3176 set thread context of 1160	3176	spoolsv.exe	spoolsv.exe
PID 1604 set thread context of 1016	1604	spoolsv.exe	spoolsv.exe
PID 2068 set thread context of 1552	2068	spoolsv.exe	spoolsv.exe
PID 1588 set thread context of 4704	1588	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 39 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5100	4112	WerFault.exe	spoolsv.exe
2776	3712	WerFault.exe	spoolsv.exe
2456	3712	WerFault.exe	spoolsv.exe
3212	1944	WerFault.exe	spoolsv.exe
1388	4776	WerFault.exe	spoolsv.exe
5076	2304	WerFault.exe	spoolsv.exe
2672	5100	WerFault.exe	spoolsv.exe
3536	2448	WerFault.exe	spoolsv.exe
4740	4220	WerFault.exe	spoolsv.exe
2808	228	WerFault.exe	spoolsv.exe
3636	1288	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
4072	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
4072	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
4384	explorer.exe
4384	explorer.exe
4904	spoolsv.exe
4904	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
2500	explorer.exe
2500	explorer.exe
3908	spoolsv.exe
3908	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
1040	spoolsv.exe
1040	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
2780	spoolsv.exe
2780	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
2552	spoolsv.exe
2552	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
5088	spoolsv.exe
5088	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
4660	spoolsv.exe
4660	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
4596	spoolsv.exe
4596	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
1328	spoolsv.exe
1328	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
5096	spoolsv.exe
5096	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
1864	spoolsv.exe
1864	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
4780	spoolsv.exe
4780	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
1952	spoolsv.exe
1952	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
2400	spoolsv.exe
2400	spoolsv.exe
2500	explorer.exe
2500	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
4072	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
4072	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
4384	explorer.exe
4384	explorer.exe
2500	explorer.exe
2500	explorer.exe
4904	spoolsv.exe
4904	spoolsv.exe
2500	explorer.exe
2500	explorer.exe
3908	spoolsv.exe
3908	spoolsv.exe
1040	spoolsv.exe
1040	spoolsv.exe
2780	spoolsv.exe
2780	spoolsv.exe
2552	spoolsv.exe
2552	spoolsv.exe
5088	spoolsv.exe
5088	spoolsv.exe
4660	spoolsv.exe
4660	spoolsv.exe
4596	spoolsv.exe
4596	spoolsv.exe
1328	spoolsv.exe
1328	spoolsv.exe
5096	spoolsv.exe
5096	spoolsv.exe
1864	spoolsv.exe
1864	spoolsv.exe
4780	spoolsv.exe
4780	spoolsv.exe
1952	spoolsv.exe
1952	spoolsv.exe
2400	spoolsv.exe
2400	spoolsv.exe
3084	spoolsv.exe
3084	spoolsv.exe
2368	spoolsv.exe
2368	spoolsv.exe
3276	spoolsv.exe
3276	spoolsv.exe
2232	spoolsv.exe
2232	spoolsv.exe
4216	spoolsv.exe
4216	spoolsv.exe
2700	spoolsv.exe
2700	spoolsv.exe
2832	spoolsv.exe
2832	spoolsv.exe
1984	spoolsv.exe
1984	spoolsv.exe
4288	spoolsv.exe
4288	spoolsv.exe
3616	spoolsv.exe
3616	spoolsv.exe
1188	spoolsv.exe
1188	spoolsv.exe
4672	spoolsv.exe
4672	spoolsv.exe
960	spoolsv.exe
960	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 4016 wrote to memory of 3668	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	cmd.exe
PID 4016 wrote to memory of 3668	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	cmd.exe
PID 4016 wrote to memory of 3668	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	cmd.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 4016 wrote to memory of 3596	4016	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 wrote to memory of 4072	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 wrote to memory of 4072	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 wrote to memory of 4072	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 wrote to memory of 4072	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 wrote to memory of 4072	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 wrote to memory of 4072	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 wrote to memory of 4072	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 wrote to memory of 4072	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
PID 3596 wrote to memory of 4380	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 3596 wrote to memory of 4380	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 3596 wrote to memory of 4380	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 3596 wrote to memory of 4380	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 3596 wrote to memory of 4380	3596	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	diskperf.exe
PID 4072 wrote to memory of 4384	4072	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	explorer.exe
PID 4072 wrote to memory of 4384	4072	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	explorer.exe
PID 4072 wrote to memory of 4384	4072	1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe	explorer.exe
PID 4384 wrote to memory of 2512	4384	explorer.exe	cmd.exe
PID 4384 wrote to memory of 2512	4384	explorer.exe	cmd.exe
PID 4384 wrote to memory of 2512	4384	explorer.exe	cmd.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe
PID 4384 wrote to memory of 384	4384	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:3668

C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1c8fcfc8d779cb710f0f968d82b9342e_JaffaCakes118.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2512

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:384

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:8

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:5008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 560
8⤵
- Program crash
PID:5100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 560
8⤵
- Program crash
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 504
8⤵
- Program crash
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 564
8⤵
- Program crash
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 564
8⤵
- Program crash
PID:1388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 504
8⤵
- Program crash
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 560
8⤵
- Program crash
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 504
8⤵
- Program crash
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 552
8⤵
- Program crash
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 560
8⤵
- Program crash
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 560
8⤵
- Program crash
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4112 -ip 4112
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3712 -ip 3712
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3712 -ip 3712
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4776 -ip 4776
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2304 -ip 2304
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5100 -ip 5100
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2448 -ip 2448
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4220 -ip 4220
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 228 -ip 228
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1288 -ip 1288
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.7MB

MD5
1c8fcfc8d779cb710f0f968d82b9342e

SHA1
b3bf6dd4094ea6127f6d8058aee3bd1d6b9d9872

SHA256
ef852e8e54efe51c2c490e4d04960d3eea67de8f03387e6a51c36cb47b8cd45a

SHA512
631b453a30cd9617e5635e48be4c877a678910f2636c359cc7c022ef2551cff750da1a20d584b1a3ca3d9a51b672b24d9244cf33356ec8d3c6790581acfa70a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.7MB

MD5
e495b77c6a8c3dd584e91030d4485e21

SHA1
1fecaa1757df226161699a5f923bccb8b15645bd

SHA256
afcb4ad42d9375e62273ad24d4f733233cb545ca9de1a2931c1bd3e48413189c

SHA512
8b604acf33876d9a0d2d6715ed7aa6600bbc6c790145529b44d0253c0bdd7eb0788a86c945d3826291fbe3a1278705eff7e0c6b8e01c5ed3acee523d26a831d5

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.7MB

MD5
cc9761ee9bf728f26b6a534b1d5c75e0

SHA1
eb07ee2dcaaea78f89d42fe92217983e905047f5

SHA256
78e700c0b3e1b17c533f409c1d9e6e6f80470929f563a7f2dc0e5581c4ec2749

SHA512
59a9b124cc5cf4c66370fb753057f7e7a5953f31f533faddbee85e2922eb282f99a88ef06d8c401b51a98b7edda4b08c6c2a49a71b9bd5c60e00079c38abbf96

Download Submit
memory/8-105-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/8-109-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/8-103-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/8-101-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/8-100-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/8-102-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/384-50-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/384-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/384-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/384-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/384-69-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/384-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/384-56-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/384-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/384-74-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/448-267-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/712-454-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/800-387-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/960-467-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/996-402-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1016-493-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1040-117-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1056-345-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1160-479-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1188-429-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1328-196-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1516-180-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1580-284-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1588-508-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1604-483-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1616-89-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1616-95-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1616-87-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1616-90-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1616-91-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1616-88-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1660-193-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1752-148-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1864-237-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1952-256-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1984-390-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1996-440-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2068-495-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2232-333-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2368-314-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2400-270-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2416-115-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2416-118-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2416-116-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2416-114-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2416-113-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2416-112-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2500-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2552-150-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2552-137-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2560-208-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2608-428-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2700-364-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2780-122-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2832-378-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2848-312-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3052-542-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3084-298-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3128-299-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3176-469-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3276-329-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3420-222-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3448-134-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3596-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-8-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3596-13-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3596-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-12-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/3596-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3596-5-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3596-11-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3596-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-14-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3596-32-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3616-416-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3672-330-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3908-97-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4016-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4016-10-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4072-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-53-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4072-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4112-523-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4112-532-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4120-164-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4216-361-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4284-468-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4288-404-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4380-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4380-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4380-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4384-40-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4596-182-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4628-415-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4652-238-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4660-179-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4660-167-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4672-442-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4704-522-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4748-376-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4780-240-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4904-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4980-362-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5008-253-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5088-153-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5096-211-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download