73201834b1e50cb3d4468938b1d7e1c44098de86271cb2859aaea4741012e448

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
Size

273KB
MD5

ba23e051091480c533eb482ff49ebc0e
SHA1

b82668bfee84196c5c829c8ec737c12b8c16a213
SHA256

73201834b1e50cb3d4468938b1d7e1c44098de86271cb2859aaea4741012e448
SHA512

928e40141132127663f92e5500a98245be5cf6c370110e514070aeb959a42b2e5bd4be53b0ecff7977ec298634e1e9977c6973f87efd2a0bcd9b9e70662d3b03
SSDEEP

6144:irAI/sHAeQFp9cgFa8MrVg9yGVvEF0CgckbVPyBS6ABkJyyC01:gAI/slJC9ywE0Nc0FyI6Skwh0

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2888	spools.exe
2700	spools.exe
2524	spools.exe
2584	spools.exe
2508	spools.exe
2268	spools.exe
1332	spools.exe
2908	spools.exe
2848	spools.exe
1704	spools.exe
2292	spools.exe
2720	spools.exe
1876	spools.exe
3044	spools.exe
2176	spools.exe
1616	spools.exe
580	spools.exe
1088	spools.exe
1400	spools.exe
1612	spools.exe
1660	spools.exe
1048	spools.exe
1784	spools.exe
1292	spools.exe
884	spools.exe
1644	spools.exe
2320	spools.exe
2660	spools.exe
2884	spools.exe
2752	spools.exe
2564	spools.exe
2796	spools.exe
2464	spools.exe
2060	spools.exe
1964	spools.exe
2840	spools.exe
588	spools.exe
2492	spools.exe
2024	spools.exe
2092	spools.exe
1484	spools.exe
1608	spools.exe
2404	spools.exe
3008	spools.exe
1564	spools.exe
2272	spools.exe
880	spools.exe
1592	spools.exe
2852	spools.exe
2656	spools.exe
2844	spools.exe
1380	spools.exe
2832	spools.exe
1576	spools.exe
328	spools.exe
2144	spools.exe
1492	spools.exe
924	spools.exe
800	spools.exe
1928	spools.exe
2748	spools.exe
668	spools.exe
1792	spools.exe
1944	spools.exe

Loads dropped DLL 64 IoCs

pid	Process
2132	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2700	spools.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
2584	spools.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
1040	WerFault.exe
2268	spools.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2908	spools.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1704	spools.exe
788	WerFault.exe
788	WerFault.exe
788	WerFault.exe
788	WerFault.exe
2720	spools.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
3044	spools.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1616	spools.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1088	spools.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1612	spools.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
1048	spools.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1292	spools.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe"	spools.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File created	C:\Windows\SysWOW64\spools.exe	spools.exe
File opened for modification	C:\Windows\SysWOW64\spools.exe	spools.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2976 set thread context of 2132	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	30
PID 2888 set thread context of 2700	2888	spools.exe	33
PID 2524 set thread context of 2584	2524	spools.exe	36
PID 2508 set thread context of 2268	2508	spools.exe	39
PID 1332 set thread context of 2908	1332	spools.exe	42
PID 2848 set thread context of 1704	2848	spools.exe	45
PID 2292 set thread context of 2720	2292	spools.exe	48
PID 1876 set thread context of 3044	1876	spools.exe	51
PID 2176 set thread context of 1616	2176	spools.exe	54
PID 580 set thread context of 1088	580	spools.exe	57
PID 1400 set thread context of 1612	1400	spools.exe	60
PID 1660 set thread context of 1048	1660	spools.exe	63
PID 1784 set thread context of 1292	1784	spools.exe	66
PID 884 set thread context of 1644	884	spools.exe	69
PID 2320 set thread context of 2660	2320	spools.exe	72
PID 2884 set thread context of 2752	2884	spools.exe	75
PID 2564 set thread context of 2796	2564	spools.exe	78
PID 2464 set thread context of 2060	2464	spools.exe	81
PID 1964 set thread context of 2840	1964	spools.exe	84
PID 588 set thread context of 2492	588	spools.exe	87
PID 2024 set thread context of 2092	2024	spools.exe	90
PID 1484 set thread context of 1608	1484	spools.exe	93
PID 2404 set thread context of 3008	2404	spools.exe	96
PID 1564 set thread context of 2272	1564	spools.exe	99
PID 880 set thread context of 1592	880	spools.exe	102
PID 2852 set thread context of 2656	2852	spools.exe	105
PID 2844 set thread context of 1380	2844	spools.exe	108
PID 2832 set thread context of 1576	2832	spools.exe	111
PID 328 set thread context of 2144	328	spools.exe	114
PID 1492 set thread context of 924	1492	spools.exe	117
PID 800 set thread context of 1928	800	spools.exe	120
PID 2748 set thread context of 668	2748	spools.exe	123
PID 1792 set thread context of 1944	1792	spools.exe	126
PID 1976 set thread context of 1900	1976	spools.exe	129
PID 2044 set thread context of 2532	2044	spools.exe	132
PID 2340 set thread context of 2160	2340	spools.exe	135
PID 2680 set thread context of 1056	2680	spools.exe	138
PID 2548 set thread context of 840	2548	spools.exe	141
PID 624 set thread context of 484	624	spools.exe	144
PID 1676 set thread context of 3112	1676	spools.exe	147
PID 3176 set thread context of 3216	3176	spools.exe	150
PID 3284 set thread context of 3320	3284	spools.exe	153
PID 3384 set thread context of 3412	3384	spools.exe	156
PID 3476 set thread context of 3508	3476	spools.exe	159
PID 3572 set thread context of 3612	3572	spools.exe	162
PID 3676 set thread context of 3708	3676	spools.exe	165
PID 3776 set thread context of 3808	3776	spools.exe	168
PID 3872 set thread context of 3908	3872	spools.exe	171
PID 3972 set thread context of 4008	3972	spools.exe	174
PID 4072 set thread context of 708	4072	spools.exe	177
PID 3156 set thread context of 1808	3156	spools.exe	180
PID 3304 set thread context of 1472	3304	spools.exe	183
PID 3484 set thread context of 3528	3484	spools.exe	186
PID 3636 set thread context of 3672	3636	spools.exe	189
PID 3836 set thread context of 3888	3836	spools.exe	192
PID 4036 set thread context of 4068	4036	spools.exe	195
PID 3168 set thread context of 3292	3168	spools.exe	198
PID 3468 set thread context of 3420	3468	spools.exe	201
PID 3756 set thread context of 3916	3756	spools.exe	204
PID 3188 set thread context of 3348	3188	spools.exe	207
PID 3640 set thread context of 3788	3640	spools.exe	210
PID 3236 set thread context of 3768	3236	spools.exe	213
PID 1412 set thread context of 2348	1412	spools.exe	216
PID 2244 set thread context of 3160	2244	spools.exe	219

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2628	2976	WerFault.exe	29
2556	2888	WerFault.exe	32
1720	2524	WerFault.exe	35
1040	2508	WerFault.exe	38
2704	1332	WerFault.exe	41
1632	2848	WerFault.exe	44
788	2292	WerFault.exe	47
2164	1876	WerFault.exe	50
1452	2176	WerFault.exe	53
1536	580	WerFault.exe	56
1336	1400	WerFault.exe	59
2304	1660	WerFault.exe	62
1936	1784	WerFault.exe	65
1712	884	WerFault.exe	68
2784	2320	WerFault.exe	71
2560	2884	WerFault.exe	74
2960	2564	WerFault.exe	77
2376	2464	WerFault.exe	80
2860	1964	WerFault.exe	83
1896	588	WerFault.exe	86
2084	2024	WerFault.exe	89
980	1484	WerFault.exe	92
768	2404	WerFault.exe	95
2332	1564	WerFault.exe	98
1596	880	WerFault.exe	101
3016	2852	WerFault.exe	104
2856	2844	WerFault.exe	107
1908	2832	WerFault.exe	110
2936	328	WerFault.exe	113
1684	1492	WerFault.exe	116
776	800	WerFault.exe	119
448	2748	WerFault.exe	122
2140	1792	WerFault.exe	125
604	1976	WerFault.exe	128
1140	2044	WerFault.exe	131
1540	2340	WerFault.exe	134
2168	2680	WerFault.exe	137
1696	2548	WerFault.exe	140
1488	624	WerFault.exe	143
3124	1676	WerFault.exe	146
3228	3176	WerFault.exe	149
3340	3284	WerFault.exe	152
3424	3384	WerFault.exe	155
3520	3476	WerFault.exe	158
3624	3572	WerFault.exe	161
3728	3676	WerFault.exe	164
3820	3776	WerFault.exe	167
3928	3872	WerFault.exe	170
4020	3972	WerFault.exe	173
3096	4072	WerFault.exe	176
2444	3156	WerFault.exe	179
3376	3304	WerFault.exe	182
3552	3484	WerFault.exe	185
3716	3636	WerFault.exe	188
3920	3836	WerFault.exe	191
1924	4036	WerFault.exe	194
3336	3168	WerFault.exe	197
3664	3468	WerFault.exe	200
3984	3756	WerFault.exe	203
3328	3188	WerFault.exe	206
3852	3640	WerFault.exe	209
3536	3236	WerFault.exe	212
3828	1412	WerFault.exe	215
3620	2244	WerFault.exe	218

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
Token: SeDebugPrivilege	2700	spools.exe
Token: SeDebugPrivilege	2584	spools.exe
Token: SeDebugPrivilege	2268	spools.exe
Token: SeDebugPrivilege	2908	spools.exe
Token: SeDebugPrivilege	1704	spools.exe
Token: SeDebugPrivilege	2720	spools.exe
Token: SeDebugPrivilege	3044	spools.exe
Token: SeDebugPrivilege	1616	spools.exe
Token: SeDebugPrivilege	1088	spools.exe
Token: SeDebugPrivilege	1612	spools.exe
Token: SeDebugPrivilege	1048	spools.exe
Token: SeDebugPrivilege	1292	spools.exe
Token: SeDebugPrivilege	1644	spools.exe
Token: SeDebugPrivilege	2660	spools.exe
Token: SeDebugPrivilege	2752	spools.exe
Token: SeDebugPrivilege	2796	spools.exe
Token: SeDebugPrivilege	2060	spools.exe
Token: SeDebugPrivilege	2840	spools.exe
Token: SeDebugPrivilege	2492	spools.exe
Token: SeDebugPrivilege	2092	spools.exe
Token: SeDebugPrivilege	1608	spools.exe
Token: SeDebugPrivilege	3008	spools.exe
Token: SeDebugPrivilege	2272	spools.exe
Token: SeDebugPrivilege	1592	spools.exe
Token: SeDebugPrivilege	2656	spools.exe
Token: SeDebugPrivilege	1380	spools.exe
Token: SeDebugPrivilege	1576	spools.exe
Token: SeDebugPrivilege	2144	spools.exe
Token: SeDebugPrivilege	924	spools.exe
Token: SeDebugPrivilege	1928	spools.exe
Token: SeDebugPrivilege	668	spools.exe
Token: SeDebugPrivilege	1944	spools.exe
Token: SeDebugPrivilege	1900	spools.exe
Token: SeDebugPrivilege	2532	spools.exe
Token: SeDebugPrivilege	2160	spools.exe
Token: SeDebugPrivilege	1056	spools.exe
Token: SeDebugPrivilege	840	spools.exe
Token: SeDebugPrivilege	484	spools.exe
Token: SeDebugPrivilege	3112	spools.exe
Token: SeDebugPrivilege	3216	spools.exe
Token: SeDebugPrivilege	3320	spools.exe
Token: SeDebugPrivilege	3412	spools.exe
Token: SeDebugPrivilege	3508	spools.exe
Token: SeDebugPrivilege	3612	spools.exe
Token: SeDebugPrivilege	3708	spools.exe
Token: SeDebugPrivilege	3808	spools.exe
Token: SeDebugPrivilege	3908	spools.exe
Token: SeDebugPrivilege	4008	spools.exe
Token: SeDebugPrivilege	708	spools.exe
Token: SeDebugPrivilege	1808	spools.exe
Token: SeDebugPrivilege	1472	spools.exe
Token: SeDebugPrivilege	3528	spools.exe
Token: SeDebugPrivilege	3672	spools.exe
Token: SeDebugPrivilege	3888	spools.exe
Token: SeDebugPrivilege	4068	spools.exe
Token: SeDebugPrivilege	3292	spools.exe
Token: SeDebugPrivilege	3420	spools.exe
Token: SeDebugPrivilege	3916	spools.exe
Token: SeDebugPrivilege	3348	spools.exe
Token: SeDebugPrivilege	3788	spools.exe
Token: SeDebugPrivilege	3768	spools.exe
Token: SeDebugPrivilege	2348	spools.exe
Token: SeDebugPrivilege	3160	spools.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2132	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2132	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2132	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2132	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2132	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2132	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2132	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2132	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2628	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2628	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2628	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2628	2976	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2888	2132	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2888	2132	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2888	2132	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2888	2132	ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe	32
PID 2888 wrote to memory of 2700	2888	spools.exe	33
PID 2888 wrote to memory of 2700	2888	spools.exe	33
PID 2888 wrote to memory of 2700	2888	spools.exe	33
PID 2888 wrote to memory of 2700	2888	spools.exe	33
PID 2888 wrote to memory of 2700	2888	spools.exe	33
PID 2888 wrote to memory of 2700	2888	spools.exe	33
PID 2888 wrote to memory of 2700	2888	spools.exe	33
PID 2888 wrote to memory of 2700	2888	spools.exe	33
PID 2888 wrote to memory of 2556	2888	spools.exe	34
PID 2888 wrote to memory of 2556	2888	spools.exe	34
PID 2888 wrote to memory of 2556	2888	spools.exe	34
PID 2888 wrote to memory of 2556	2888	spools.exe	34
PID 2700 wrote to memory of 2524	2700	spools.exe	35
PID 2700 wrote to memory of 2524	2700	spools.exe	35
PID 2700 wrote to memory of 2524	2700	spools.exe	35
PID 2700 wrote to memory of 2524	2700	spools.exe	35
PID 2524 wrote to memory of 2584	2524	spools.exe	36
PID 2524 wrote to memory of 2584	2524	spools.exe	36
PID 2524 wrote to memory of 2584	2524	spools.exe	36
PID 2524 wrote to memory of 2584	2524	spools.exe	36
PID 2524 wrote to memory of 2584	2524	spools.exe	36
PID 2524 wrote to memory of 2584	2524	spools.exe	36
PID 2524 wrote to memory of 2584	2524	spools.exe	36
PID 2524 wrote to memory of 2584	2524	spools.exe	36
PID 2524 wrote to memory of 1720	2524	spools.exe	37
PID 2524 wrote to memory of 1720	2524	spools.exe	37
PID 2524 wrote to memory of 1720	2524	spools.exe	37
PID 2524 wrote to memory of 1720	2524	spools.exe	37
PID 2584 wrote to memory of 2508	2584	spools.exe	38
PID 2584 wrote to memory of 2508	2584	spools.exe	38
PID 2584 wrote to memory of 2508	2584	spools.exe	38
PID 2584 wrote to memory of 2508	2584	spools.exe	38
PID 2508 wrote to memory of 2268	2508	spools.exe	39
PID 2508 wrote to memory of 2268	2508	spools.exe	39
PID 2508 wrote to memory of 2268	2508	spools.exe	39
PID 2508 wrote to memory of 2268	2508	spools.exe	39
PID 2508 wrote to memory of 2268	2508	spools.exe	39
PID 2508 wrote to memory of 2268	2508	spools.exe	39
PID 2508 wrote to memory of 2268	2508	spools.exe	39
PID 2508 wrote to memory of 2268	2508	spools.exe	39
PID 2508 wrote to memory of 1040	2508	spools.exe	40
PID 2508 wrote to memory of 1040	2508	spools.exe	40
PID 2508 wrote to memory of 1040	2508	spools.exe	40
PID 2508 wrote to memory of 1040	2508	spools.exe	40
PID 2268 wrote to memory of 1332	2268	spools.exe	41
PID 2268 wrote to memory of 1332	2268	spools.exe	41
PID 2268 wrote to memory of 1332	2268	spools.exe	41
PID 2268 wrote to memory of 1332	2268	spools.exe	41

C:\Users\Admin\AppData\Local\Temp\ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\spools.exe
    "C:\Windows\system32\spools.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\spools.exe
      "C:\Windows\SysWOW64\spools.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2848
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1876
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2176
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:580
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1400
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1784
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:884
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2884
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2564
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2024
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2404
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:880
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2844
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2832
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:328
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1492
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2748
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1792
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        66⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1976
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        68⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        70⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        72⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:2548
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        76⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:624
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        80⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:3176
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        82⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:3284
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        84⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        86⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:3476
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        88⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:3572
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        90⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        92⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:3776
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:3872
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        96⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:3972
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        98⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        100⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:3304
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        104⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        105⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        106⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:3636
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        108⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:3836
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        110⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:4036
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        112⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:3168
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        114⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:3468
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        116⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:3756
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        118⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:3188
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        120⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:3640
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        122⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:3236
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        124⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:1412
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        126⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:2244
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        128⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        129⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        130⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        132⤵
        Adds Run key to start application
        
        PID:4228
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        133⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        134⤵
        Adds Run key to start application
        
        PID:4316
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        135⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        136⤵
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        137⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        138⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        139⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        140⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        142⤵
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        143⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        144⤵
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        146⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        147⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        148⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        149⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        152⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        153⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        154⤵
        Adds Run key to start application
        
        PID:4164
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        156⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        157⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        158⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        159⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        160⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        161⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        162⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        163⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        164⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        165⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        166⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        167⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        170⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        172⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        174⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        175⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        176⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        178⤵
        Adds Run key to start application
        
        PID:4732
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        179⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        180⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        181⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        182⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        183⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        184⤵
        Adds Run key to start application
        
        PID:4620
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        185⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\SysWOW64\spools.exe"
        186⤵
        Adds Run key to start application
        
        PID:3800
        
        C:\Windows\SysWOW64\spools.exe
        
        "C:\Windows\system32\spools.exe"
        187⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 120
        186⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 120
        184⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 120
        182⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 120
        180⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 120
        178⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 120
        176⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 120
        174⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 120
        172⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 120
        170⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 120
        168⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 120
        166⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 120
        164⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 120
        162⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 120
        160⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 120
        158⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 120
        156⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 120
        154⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 120
        152⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 120
        150⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 120
        148⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 120
        146⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 120
        144⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 120
        142⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 120
        140⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 120
        138⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 120
        136⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 120
        134⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 120
        132⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 120
        130⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 120
        128⤵
        Program crash
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 120
        126⤵
        Program crash
        
        PID:3828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 120
        124⤵
        Program crash
        
        PID:3536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 120
        122⤵
        Program crash
        
        PID:3852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 120
        120⤵
        Program crash
        
        PID:3328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 120
        118⤵
        Program crash
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 120
        116⤵
        Program crash
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 120
        114⤵
        Program crash
        
        PID:3336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 120
        112⤵
        Program crash
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 120
        110⤵
        Program crash
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 120
        108⤵
        Program crash
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 120
        106⤵
        Program crash
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 120
        104⤵
        Program crash
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 120
        102⤵
        Program crash
        
        PID:2444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 120
        100⤵
        Program crash
        
        PID:3096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 120
        98⤵
        Program crash
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 120
        96⤵
        Program crash
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 120
        94⤵
        Program crash
        
        PID:3820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 120
        92⤵
        Program crash
        
        PID:3728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 120
        90⤵
        Program crash
        
        PID:3624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 120
        88⤵
        Program crash
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 120
        86⤵
        Program crash
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 120
        84⤵
        Program crash
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 120
        82⤵
        Program crash
        
        PID:3228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 120
        80⤵
        Program crash
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 120
        78⤵
        Program crash
        
        PID:1488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 120
        76⤵
        Program crash
        
        PID:1696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 120
        74⤵
        Program crash
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 120
        72⤵
        Program crash
        
        PID:1540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 120
        70⤵
        Program crash
        
        PID:1140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 120
        68⤵
        Program crash
        
        PID:604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 120
        66⤵
        Program crash
        
        PID:2140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 120
        64⤵
        Program crash
        
        PID:448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 120
        62⤵
        Program crash
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 120
        60⤵
        Program crash
        
        PID:1684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 120
        58⤵
        Program crash
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 120
        56⤵
        Program crash
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 120
        54⤵
        Program crash
        
        PID:2856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 120
        52⤵
        Program crash
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 120
        50⤵
        Program crash
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 120
        48⤵
        Program crash
        
        PID:2332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 120
        46⤵
        Program crash
        
        PID:768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 120
        44⤵
        Program crash
        
        PID:980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 120
        42⤵
        Program crash
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 120
        40⤵
        Program crash
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 120
        38⤵
        Program crash
        
        PID:2860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 120
        36⤵
        Program crash
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 120
        34⤵
        Program crash
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 120
        32⤵
        Program crash
        
        PID:2560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 120
        30⤵
        Program crash
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 120
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:1712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 120
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 120
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:2304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 120
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 120
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 120
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 120
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 120
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 120
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 120
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 120
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:1040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 120
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 120
      4⤵
      Loads dropped DLL
      Program crash
      PID:2556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 120
  2⤵
  - Program crash
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\spools.exe

Filesize
273KB

MD5
ba23e051091480c533eb482ff49ebc0e

SHA1
b82668bfee84196c5c829c8ec737c12b8c16a213

SHA256
73201834b1e50cb3d4468938b1d7e1c44098de86271cb2859aaea4741012e448

SHA512
928e40141132127663f92e5500a98245be5cf6c370110e514070aeb959a42b2e5bd4be53b0ecff7977ec298634e1e9977c6973f87efd2a0bcd9b9e70662d3b03

Download Submit
memory/328-329-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/580-151-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/588-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/880-288-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/884-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/924-341-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1048-175-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1048-170-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1088-157-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1088-154-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1292-183-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1292-178-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1332-289-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1380-316-0x0000000002280000-0x00000000022C7000-memory.dmp

Filesize
284KB

Download
memory/1380-318-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1380-312-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1484-260-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1492-338-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1564-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1576-327-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1576-322-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1592-299-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1592-294-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1608-268-0x00000000020F0000-0x0000000002137000-memory.dmp

Filesize
284KB

Download
memory/1608-269-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1608-263-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1612-161-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1612-167-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1612-166-0x00000000035A0000-0x00000000035E7000-memory.dmp

Filesize
284KB

Download
memory/1616-143-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1616-150-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1644-193-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1644-190-0x0000000003480000-0x00000000034C7000-memory.dmp

Filesize
284KB

Download
memory/1644-187-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1704-100-0x00000000035A0000-0x00000000035E7000-memory.dmp

Filesize
284KB

Download
memory/1704-101-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1704-89-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1876-119-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1964-228-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2024-250-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2060-227-0x0000000003600000-0x0000000003647000-memory.dmp

Filesize
284KB

Download
memory/2060-223-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2060-230-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2092-253-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2092-258-0x00000000035F0000-0x0000000003637000-memory.dmp

Filesize
284KB

Download
memory/2092-259-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2132-6-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2132-16-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2132-1-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2132-5-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2132-4-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2144-332-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2144-337-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2176-328-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2176-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2268-57-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2268-66-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2272-291-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2272-287-0x00000000035B0000-0x00000000035F7000-memory.dmp

Filesize
284KB

Download
memory/2272-283-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2292-103-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2404-271-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2464-220-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2492-249-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2492-244-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2508-53-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2524-270-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2564-211-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2584-43-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2584-52-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2656-308-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2656-303-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2660-201-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2660-196-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2700-36-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2700-23-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2700-24-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2720-116-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2720-110-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2752-205-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2752-210-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2796-214-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2796-219-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2832-319-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2840-233-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2840-237-0x00000000035D0000-0x0000000003617000-memory.dmp

Filesize
284KB

Download
memory/2840-239-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2844-309-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2848-85-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2852-300-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2884-202-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2888-17-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2908-84-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2908-75-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2976-243-0x00000000005E0000-0x0000000000627000-memory.dmp

Filesize
284KB

Download
memory/2976-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2976-2-0x00000000005E0000-0x0000000000627000-memory.dmp

Filesize
284KB

Download
memory/3008-279-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3008-274-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3044-134-0x0000000003460000-0x00000000034A7000-memory.dmp

Filesize
284KB

Download
memory/3044-132-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3044-123-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads