warzonerat | 9bf132141bbd8a842f487efecf12ca6a4f0bcbaae8aa578480bea2fb95c5bbaf

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
Size

2.9MB
MD5

1d02d54daf75df2128c2b9bb12682f2b
SHA1

1fc242fe45d6f7fd8fa6f70c9de5cc84db062f11
SHA256

9bf132141bbd8a842f487efecf12ca6a4f0bcbaae8aa578480bea2fb95c5bbaf
SHA512

a17fd2af30c0c1ae276f9dc9e19a2662681a5e215e0bd6ec6d59087ce959661d353ed1bb2e1af1b6f9bc255840616f4280b6cd9d247da68a900cf86414bff7fb
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHn:3Ty7A3mw4gxeOw46fUbNecCCFbNecK

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 10 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 21 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1904	explorer.exe
1792	explorer.exe
816	explorer.exe
1532	spoolsv.exe
1172	spoolsv.exe
892	spoolsv.exe
1716	spoolsv.exe
2288	spoolsv.exe
2044	spoolsv.exe
1000	spoolsv.exe
1300	spoolsv.exe
896	spoolsv.exe
2940	spoolsv.exe
2996	spoolsv.exe
612	spoolsv.exe
1492	spoolsv.exe
2960	spoolsv.exe
2204	spoolsv.exe
1544	spoolsv.exe
1704	spoolsv.exe
1784	spoolsv.exe
2484	spoolsv.exe
2060	spoolsv.exe
2448	spoolsv.exe
804	spoolsv.exe
2148	spoolsv.exe
2892	spoolsv.exe
448	spoolsv.exe
1288	spoolsv.exe
1748	spoolsv.exe
2572	spoolsv.exe
2724	spoolsv.exe
1128	spoolsv.exe
2560	spoolsv.exe
2332	spoolsv.exe
2944	spoolsv.exe
2436	spoolsv.exe
292	spoolsv.exe
1756	spoolsv.exe
1028	spoolsv.exe
2524	spoolsv.exe
1536	spoolsv.exe
956	spoolsv.exe
2868	spoolsv.exe
3016	spoolsv.exe
2460	spoolsv.exe
2456	spoolsv.exe
1384	spoolsv.exe
2824	spoolsv.exe
2092	spoolsv.exe
2848	spoolsv.exe
2788	spoolsv.exe
2952	spoolsv.exe
1532	spoolsv.exe
1440	spoolsv.exe
1376	spoolsv.exe
2288	spoolsv.exe
1480	spoolsv.exe
2748	spoolsv.exe
1704	spoolsv.exe
2780	spoolsv.exe
896	spoolsv.exe
3024	spoolsv.exe
1304	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3032	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
3032	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
816	explorer.exe
816	explorer.exe
1532	spoolsv.exe
816	explorer.exe
816	explorer.exe
892	spoolsv.exe
816	explorer.exe
816	explorer.exe
2288	spoolsv.exe
816	explorer.exe
816	explorer.exe
1000	spoolsv.exe
816	explorer.exe
816	explorer.exe
896	spoolsv.exe
816	explorer.exe
816	explorer.exe
2996	spoolsv.exe
816	explorer.exe
816	explorer.exe
1492	spoolsv.exe
816	explorer.exe
816	explorer.exe
2204	spoolsv.exe
816	explorer.exe
816	explorer.exe
1704	spoolsv.exe
816	explorer.exe
816	explorer.exe
2484	spoolsv.exe
816	explorer.exe
816	explorer.exe
2448	spoolsv.exe
816	explorer.exe
816	explorer.exe
2148	spoolsv.exe
816	explorer.exe
816	explorer.exe
448	spoolsv.exe
816	explorer.exe
816	explorer.exe
1748	spoolsv.exe
816	explorer.exe
816	explorer.exe
2724	spoolsv.exe
816	explorer.exe
816	explorer.exe
2560	spoolsv.exe
816	explorer.exe
816	explorer.exe
2944	spoolsv.exe
816	explorer.exe
816	explorer.exe
292	spoolsv.exe
816	explorer.exe
816	explorer.exe
1028	spoolsv.exe
816	explorer.exe
816	explorer.exe
1536	spoolsv.exe
816	explorer.exe
816	explorer.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2512 set thread context of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 set thread context of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 set thread context of 2672	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	diskperf.exe
PID 1904 set thread context of 1792	1904	explorer.exe	explorer.exe
PID 1792 set thread context of 816	1792	explorer.exe	explorer.exe
PID 1792 set thread context of 2368	1792	explorer.exe	diskperf.exe
PID 1532 set thread context of 1172	1532	spoolsv.exe	spoolsv.exe
PID 892 set thread context of 1716	892	spoolsv.exe	spoolsv.exe
PID 2288 set thread context of 2044	2288	spoolsv.exe	spoolsv.exe
PID 1000 set thread context of 1300	1000	spoolsv.exe	spoolsv.exe
PID 896 set thread context of 2940	896	spoolsv.exe	spoolsv.exe
PID 2996 set thread context of 612	2996	spoolsv.exe	spoolsv.exe
PID 1492 set thread context of 2960	1492	spoolsv.exe	spoolsv.exe
PID 2204 set thread context of 1544	2204	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 1784	1704	spoolsv.exe	spoolsv.exe
PID 2484 set thread context of 2060	2484	spoolsv.exe	spoolsv.exe
PID 2448 set thread context of 804	2448	spoolsv.exe	spoolsv.exe
PID 2148 set thread context of 2892	2148	spoolsv.exe	spoolsv.exe
PID 448 set thread context of 1288	448	spoolsv.exe	spoolsv.exe
PID 1748 set thread context of 2572	1748	spoolsv.exe	spoolsv.exe
PID 2724 set thread context of 1128	2724	spoolsv.exe	spoolsv.exe
PID 2560 set thread context of 2332	2560	spoolsv.exe	spoolsv.exe
PID 2944 set thread context of 2436	2944	spoolsv.exe	spoolsv.exe
PID 292 set thread context of 1756	292	spoolsv.exe	spoolsv.exe
PID 1028 set thread context of 2524	1028	spoolsv.exe	spoolsv.exe
PID 1536 set thread context of 956	1536	spoolsv.exe	spoolsv.exe
PID 2868 set thread context of 3016	2868	spoolsv.exe	spoolsv.exe
PID 2460 set thread context of 2456	2460	spoolsv.exe	spoolsv.exe
PID 1384 set thread context of 2824	1384	spoolsv.exe	spoolsv.exe
PID 2092 set thread context of 2848	2092	spoolsv.exe	spoolsv.exe
PID 2788 set thread context of 2952	2788	spoolsv.exe	spoolsv.exe
PID 1532 set thread context of 1440	1532	spoolsv.exe	spoolsv.exe
PID 1376 set thread context of 2288	1376	spoolsv.exe	spoolsv.exe
PID 1480 set thread context of 2748	1480	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 2780	1704	spoolsv.exe	spoolsv.exe
PID 896 set thread context of 3024	896	spoolsv.exe	spoolsv.exe
PID 1172 set thread context of 1304	1172	spoolsv.exe	spoolsv.exe
PID 1172 set thread context of 540	1172	spoolsv.exe	diskperf.exe
PID 1716 set thread context of 2464	1716	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 296	1716	spoolsv.exe	diskperf.exe
PID 1500 set thread context of 1392	1500	spoolsv.exe	spoolsv.exe
PID 2044 set thread context of 1644	2044	spoolsv.exe	spoolsv.exe
PID 1812 set thread context of 1996	1812	explorer.exe	explorer.exe
PID 2044 set thread context of 2468	2044	spoolsv.exe	diskperf.exe
PID 2336 set thread context of 2156	2336	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 2816	1300	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 1564	1300	spoolsv.exe	diskperf.exe
PID 2800 set thread context of 1652	2800	spoolsv.exe	spoolsv.exe
PID 2940 set thread context of 1836	2940	spoolsv.exe	spoolsv.exe
PID 1944 set thread context of 2788	1944	spoolsv.exe	spoolsv.exe
PID 2940 set thread context of 2996	2940	spoolsv.exe	diskperf.exe
PID 2960 set thread context of 1088	2960	spoolsv.exe	spoolsv.exe
PID 2960 set thread context of 1864	2960	spoolsv.exe	diskperf.exe
PID 612 set thread context of 2500	612	spoolsv.exe	spoolsv.exe
PID 1552 set thread context of 2412	1552	explorer.exe	explorer.exe
PID 612 set thread context of 2384	612	spoolsv.exe	diskperf.exe
PID 1480 set thread context of 2256	1480	spoolsv.exe	spoolsv.exe
PID 1544 set thread context of 2508	1544	spoolsv.exe	spoolsv.exe
PID 1544 set thread context of 2644	1544	spoolsv.exe	diskperf.exe
PID 2696 set thread context of 1624	2696	spoolsv.exe	spoolsv.exe
PID 2212 set thread context of 2076	2212	explorer.exe	explorer.exe
PID 1784 set thread context of 2924	1784	spoolsv.exe	spoolsv.exe
PID 1784 set thread context of 2300	1784	spoolsv.exe	diskperf.exe
PID 764 set thread context of 2860	764	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 48 IoCs

Processes:

spoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
3032	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
1904	explorer.exe
1532	spoolsv.exe
816	explorer.exe
816	explorer.exe
892	spoolsv.exe
816	explorer.exe
2288	spoolsv.exe
816	explorer.exe
1000	spoolsv.exe
816	explorer.exe
896	spoolsv.exe
816	explorer.exe
2996	spoolsv.exe
816	explorer.exe
1492	spoolsv.exe
816	explorer.exe
2204	spoolsv.exe
816	explorer.exe
1704	spoolsv.exe
816	explorer.exe
2484	spoolsv.exe
816	explorer.exe
2448	spoolsv.exe
816	explorer.exe
2148	spoolsv.exe
816	explorer.exe
448	spoolsv.exe
816	explorer.exe
1748	spoolsv.exe
816	explorer.exe
2724	spoolsv.exe
816	explorer.exe
2560	spoolsv.exe
816	explorer.exe
2944	spoolsv.exe
816	explorer.exe
292	spoolsv.exe
816	explorer.exe
1028	spoolsv.exe
816	explorer.exe
1536	spoolsv.exe
816	explorer.exe
2868	spoolsv.exe
816	explorer.exe
2460	spoolsv.exe
816	explorer.exe
1384	spoolsv.exe
816	explorer.exe
2092	spoolsv.exe
816	explorer.exe
2788	spoolsv.exe
816	explorer.exe
1532	spoolsv.exe
816	explorer.exe
1376	spoolsv.exe
816	explorer.exe
1480	spoolsv.exe
816	explorer.exe
1704	spoolsv.exe
816	explorer.exe
896	spoolsv.exe
816	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
3032	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
3032	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
1904	explorer.exe
1904	explorer.exe
816	explorer.exe
816	explorer.exe
1532	spoolsv.exe
1532	spoolsv.exe
816	explorer.exe
816	explorer.exe
892	spoolsv.exe
892	spoolsv.exe
2288	spoolsv.exe
2288	spoolsv.exe
1000	spoolsv.exe
1000	spoolsv.exe
896	spoolsv.exe
896	spoolsv.exe
2996	spoolsv.exe
2996	spoolsv.exe
1492	spoolsv.exe
1492	spoolsv.exe
2204	spoolsv.exe
2204	spoolsv.exe
1704	spoolsv.exe
1704	spoolsv.exe
2484	spoolsv.exe
2484	spoolsv.exe
2448	spoolsv.exe
2448	spoolsv.exe
2148	spoolsv.exe
2148	spoolsv.exe
448	spoolsv.exe
448	spoolsv.exe
1748	spoolsv.exe
1748	spoolsv.exe
2724	spoolsv.exe
2724	spoolsv.exe
2560	spoolsv.exe
2560	spoolsv.exe
2944	spoolsv.exe
2944	spoolsv.exe
292	spoolsv.exe
292	spoolsv.exe
1028	spoolsv.exe
1028	spoolsv.exe
1536	spoolsv.exe
1536	spoolsv.exe
2868	spoolsv.exe
2868	spoolsv.exe
2460	spoolsv.exe
2460	spoolsv.exe
1384	spoolsv.exe
1384	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2788	spoolsv.exe
2788	spoolsv.exe
1532	spoolsv.exe
1532	spoolsv.exe
1376	spoolsv.exe
1376	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2512 wrote to memory of 2508	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	cmd.exe
PID 2512 wrote to memory of 2508	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	cmd.exe
PID 2512 wrote to memory of 2508	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	cmd.exe
PID 2512 wrote to memory of 2508	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	cmd.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2512 wrote to memory of 2340	2512	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 3032	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
PID 2340 wrote to memory of 2672	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	diskperf.exe
PID 2340 wrote to memory of 2672	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	diskperf.exe
PID 2340 wrote to memory of 2672	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	diskperf.exe
PID 2340 wrote to memory of 2672	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	diskperf.exe
PID 2340 wrote to memory of 2672	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	diskperf.exe
PID 2340 wrote to memory of 2672	2340	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	diskperf.exe
PID 3032 wrote to memory of 1904	3032	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	explorer.exe
PID 3032 wrote to memory of 1904	3032	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	explorer.exe
PID 3032 wrote to memory of 1904	3032	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	explorer.exe
PID 3032 wrote to memory of 1904	3032	1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe	explorer.exe
PID 1904 wrote to memory of 840	1904	explorer.exe	cmd.exe
PID 1904 wrote to memory of 840	1904	explorer.exe	cmd.exe
PID 1904 wrote to memory of 840	1904	explorer.exe	cmd.exe
PID 1904 wrote to memory of 840	1904	explorer.exe	cmd.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe
PID 1904 wrote to memory of 1792	1904	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2508

C:\Users\Admin\AppData\Local\Temp\1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:840

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1792

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
PID:1304

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1336

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1836

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:532

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2508

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2504

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2924

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:836

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2616

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:844

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2368

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1035274366-1877637678-437543918-1000518550-292216922-2071105968-1653499223640498575"
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.8MB

MD5
8b2882ca23d59279967971662f3a3835

SHA1
e8ed426401040acbbb86bbdb8908b3774abb534e

SHA256
3f7c8949daa42f7b6d1ed82614fec3ffd3f53f6afc82e8be96768c701c88c1cb

SHA512
61eaf1d701fc1ed98edde26ffd7aa7d3e98575a8d9b29018b88cb7e675633b41340a886405704ff0155df360e241a94f9c8b2363eb5a862cc2508b18f16fe182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

Filesize
1.2MB

MD5
08400aafe1712155f8ce5353ce069d6c

SHA1
3dfbb9223652503388420e79ccd255810c1688a6

SHA256
2b844c90a8488052d8a39399ead6fac02d80bce06d1f6bd565d44f076816fb04

SHA512
060e0ebb4dbe0c458f42adf6aad71b5052aa3f76e5c1e7fc2acd74188754d13441b60c526ca923e1560c6ca9c94546bc16266ab687369f5bdf541516b63bbdd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.1MB

MD5
fe042afa7691d58969c13be0149fc97e

SHA1
fa604c6fad1e6569ffffe4842c239f6c80402838

SHA256
053537f4d6ae62f97e5ad23300e2c4caed732573c5659592ae0edd76ccbca791

SHA512
554b4621b993865bb27bbcc37d7fe29c213fbcbf05c1b2955c62f4798956c43273273280e304a6894f164700d28737b870858a2f280d3262974935e68685ec94

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
181c1ee8206f80c8b5fcdc9e9e65af23

SHA1
bc8c8fce12bda624423a6fb1c47c55989040504c

SHA256
73bf8ad9351c078dc2bf273194d9b575f55e20ec810e7cae5cf6dc19a4efec47

SHA512
91dbe2cfd8c9519fb713eb66017c8a77b121b8908ed9bab7f09dec4a03a93145b9d1fc1ec39f0f9ba295a02173c1e1a12da9d6fc68144c42eaa76810b41f2e21

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
2.8MB

MD5
b5d32f036f1effb2dea8f37df4f13206

SHA1
29b9c812f89395aee965f2ef8e05e2ba833767ac

SHA256
bf3ff067b6ff6cf38021d97c9daac6a8c954830bf7a60f0a688c1721c0277d04

SHA512
6631ca814df5ee8cd9d000513fdabb6a70bb2afe4349bbf065a92aa439a71d304cecf3d6e84e8ba1858075dafc3aa1046e05d3b717c37bc0de132c09b236f92c

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.9MB

MD5
24a48317e2adbe34195c1b67d2335dcd

SHA1
d55ebae87d934ab6913636dee44eecd1ed05c6f1

SHA256
6378cb3125ca8a5391c6744af9f38ab39e1f311a722312c0bd0cee9028cc8a92

SHA512
580bfd9079ddf0ec27ab8f1076875f201b92eff9331e44fc2463c4878d8d59f5710b29865f989801bbbfc1fc115c338175f81b98a945dc41adcdf0c4d311fd3a

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
10c6f5ba2aafa3fc2f08699ecc15a6e9

SHA1
5e2c213de821dd79febb48ffaed3b500f4ceabdc

SHA256
b037c2c4a989c58d3c0969388e81f0853841ad4881fa779873f8c73604aee728

SHA512
a737465a43a938764b64578c58eef91c1cf7a48070ffddc072297436139d269860924c9a6a66d694bbc823086ad46c956cc094e4ca73b322e96ee6cf67ee7746

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
448KB

MD5
5944d82e9ff80003dc37920f866e0450

SHA1
6db32fc84a0a2b7e7bdbd760f81e7950c4da9fed

SHA256
43a859ffe0111629a55037890778eeff377f858073c0b6a55f6f70b378bcf363

SHA512
d16e07591f7f7474b59f5ff2627eefdf2d2000e8be7d4446db654815e1f185883d70d2680035772db340d2a762c79b6c3d15be5642bbc94460afdddb96b8b8ab

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.1MB

MD5
052b7aeff6bacb4693eaa91c96476470

SHA1
79fdc662c7cb9a43f7b13f41fc397350cf2cf5c2

SHA256
0a9a8d34a8db66a4e8c3503b0a8e3a164e17259bae2719ad3e8610f0915e671c

SHA512
a35673d7d95d9a33b1ae3b02b0609fc5ead4830e9397d7eda9cfc8517f9e2ce52f3541b769dca9e2e78773e3ed620abad12d89ad23b43a4b57addaff85d6b7eb

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
06d34cb5e6b09bc22ca402e641210155

SHA1
80eba58c6e876a9887617257c1ace59a03d1205c

SHA256
b0362f48f51f84aedebadfe5ae930de6aa82f12df2ada3d421e5d9e8816469ce

SHA512
a581601b11bbc3e1d3e98af64bc4ed028161d0e7e20ccdb0b53b5db0383b9e10e547c338fc2c4afca8a0e8a66f432382e6e9b1ff1d7d4af6694ec7f2ec69d2dd

Download Submit
\Windows\system\spoolsv.exe

Filesize
640KB

MD5
edddcca23e1aba3e08969be172f73781

SHA1
067839385b2877fe5fd6ba1d3754d4a2d7d2ecae

SHA256
a6ef06505dc11091cc9b9d83078a8204c3ebb2be4212a39b09067ebc9cfb42ad

SHA512
6151cebd7d98f70a4c11fb589cc4f130b4e687b0b9e19aa3761d0b3bb775dd1a8e8c7bcdd2625e7c425b092998806e068de56adb4507867b510973b20cdc3b54

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
6af18b535e64cf67305225b039e6d340

SHA1
5ea9bc5a3d7d4db0c2ea701a7bbc279298c80cfe

SHA256
98738144b292db26d3714f48d11790614e7c5038838320bb5f314d48189ddb88

SHA512
d3db9c2ce173e09d30c220d6b5a530a7965521ebab6e36025be4d246808e088a007fe612130cf786a9500c8133fff3f9a2f3150853264b0f8ddf093f28574145

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.9MB

MD5
661bd360d561f7cfb9275561b59bdf91

SHA1
1bc3c7ce10de0d8a859b9e552b83da56310c443c

SHA256
3b99dbd0d59959c63a2cc4d85ff73824bccc9ca05ef41a1801200c9cc2afe885

SHA512
01c687ed4c401b71b3100834643c5c2010bdc2da90a400c382cbda9430e463fde07b9acf803d81f860d38317186ba965d64e6e897683796c7c90a2d761431940

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.7MB

MD5
26019d5170395b5d219e1384c5b95c06

SHA1
c29f66169c9b3f7c0e69e039f43072ab4645050d

SHA256
03b25f795ae996ab437e66ce71d356beaf6e2696017ebf26f55f1acb964bcdee

SHA512
03bc1eb0155591db6d2e6a71fe483cdabc91322b15e020b2227278e480989a5724bdb62dd58ba90493a60d64d2106d7236122b4f78e14472cb37da1ea5644830

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.6MB

MD5
8c4ec85e18944d07275563b86fd46b62

SHA1
6ca4abf947fdc939a8dc9cdc1636ec5d87c3359d

SHA256
6da515675836847c32f54ed80275e1f58d670ee8180da11cdbb9f8d777fbd03e

SHA512
af1b65b6dd0050f4a1a837ccdb51343f481ef1617b14ab7bfec3f64b750dbed8be04fc991e0d199ba7aa63fbe2820ffcc366ee775ff4795afeb36a78fb17356a

Download Submit
memory/612-2082-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/612-489-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/816-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1172-240-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1172-1654-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1300-1874-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1300-387-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1544-593-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1544-2173-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1716-287-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1716-1682-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1784-2285-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1784-647-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1792-143-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1792-178-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2044-1804-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2044-337-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2060-2396-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2060-699-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2340-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2340-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-77-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2340-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-48-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2340-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2340-34-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2340-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2340-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2340-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2340-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2340-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2672-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2672-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2940-1983-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2940-437-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2960-539-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2960-2023-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3032-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download