warzonerat | 1d57ebf6340c18bcf867f9890d01b99890e692d7cc2116a790800ac9fde89dac

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
Size

2.7MB
MD5

c7c487898de848c5e11c8fc5f946dcb7
SHA1

cbc0283d5aedf0622e1dad21b65938a69f7ae050
SHA256

1d57ebf6340c18bcf867f9890d01b99890e692d7cc2116a790800ac9fde89dac
SHA512

be48742991dbce68dd61820f7a77a1d29bba26313bdbecaf34633b48cbb34f631e2a340804b9261f1422cd2dfb9f5cf93171a7ce783acc0fcb49c52696d02f5b
SSDEEP

24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH81M:fF6mw4gxeOw46fUbNecCCFbNece

Score

10^/10

warzonerat discovery evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000015cb8-88.dat	warzonerat
behavioral1/files/0x0008000000015690-170.dat	warzonerat
behavioral1/files/0x0008000000015cce-186.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2944	explorer.exe
1516	explorer.exe
324	explorer.exe
900	spoolsv.exe
2964	spoolsv.exe
1700	spoolsv.exe
2876	spoolsv.exe
2972	spoolsv.exe
872	spoolsv.exe
1032	spoolsv.exe
1972	spoolsv.exe
3040	spoolsv.exe
2188	spoolsv.exe
2352	spoolsv.exe
400	spoolsv.exe
1292	spoolsv.exe
1604	spoolsv.exe
2096	spoolsv.exe
2640	spoolsv.exe
2408	spoolsv.exe
2380	spoolsv.exe
1260	spoolsv.exe
1772	spoolsv.exe
1832	spoolsv.exe
1764	spoolsv.exe
1872	spoolsv.exe
1164	spoolsv.exe
468	spoolsv.exe
1752	spoolsv.exe
2684	spoolsv.exe
1996	spoolsv.exe
1056	spoolsv.exe
1812	spoolsv.exe
1924	spoolsv.exe
844	spoolsv.exe
352	spoolsv.exe
2312	spoolsv.exe
904	spoolsv.exe
2020	spoolsv.exe
2784	spoolsv.exe
2668	spoolsv.exe
580	spoolsv.exe
1000	spoolsv.exe
1280	spoolsv.exe
2360	spoolsv.exe
2292	spoolsv.exe
2492	spoolsv.exe
1640	spoolsv.exe
2568	spoolsv.exe
1596	spoolsv.exe
1572	spoolsv.exe
2612	spoolsv.exe
1680	spoolsv.exe
2040	spoolsv.exe
2160	spoolsv.exe
2944	spoolsv.exe
1828	spoolsv.exe
408	spoolsv.exe
2296	spoolsv.exe
2256	spoolsv.exe
2304	spoolsv.exe
2512	spoolsv.exe
2736	spoolsv.exe
2660	explorer.exe

Loads dropped DLL 64 IoCs

pid	Process
2564	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
2564	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
324	explorer.exe
324	explorer.exe
900	spoolsv.exe
324	explorer.exe
324	explorer.exe
1700	spoolsv.exe
324	explorer.exe
324	explorer.exe
2972	spoolsv.exe
324	explorer.exe
324	explorer.exe
1032	spoolsv.exe
324	explorer.exe
324	explorer.exe
3040	spoolsv.exe
324	explorer.exe
324	explorer.exe
2352	spoolsv.exe
324	explorer.exe
324	explorer.exe
1292	spoolsv.exe
324	explorer.exe
324	explorer.exe
2096	spoolsv.exe
324	explorer.exe
324	explorer.exe
2408	spoolsv.exe
324	explorer.exe
324	explorer.exe
1260	spoolsv.exe
324	explorer.exe
324	explorer.exe
1832	spoolsv.exe
324	explorer.exe
324	explorer.exe
1872	spoolsv.exe
324	explorer.exe
324	explorer.exe
468	spoolsv.exe
324	explorer.exe
324	explorer.exe
2684	spoolsv.exe
324	explorer.exe
324	explorer.exe
1056	spoolsv.exe
324	explorer.exe
324	explorer.exe
1924	spoolsv.exe
324	explorer.exe
324	explorer.exe
352	spoolsv.exe
324	explorer.exe
324	explorer.exe
904	spoolsv.exe
324	explorer.exe
324	explorer.exe
2784	spoolsv.exe
324	explorer.exe
324	explorer.exe
580	spoolsv.exe
324	explorer.exe
324	explorer.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-0-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2884-41-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x0008000000015cb8-88.dat	upx
behavioral1/memory/2944-97-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2564-94-0x0000000002450000-0x0000000002495000-memory.dmp	upx
behavioral1/memory/2944-147-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x0008000000015690-170.dat	upx
behavioral1/files/0x0008000000015cce-186.dat	upx
behavioral1/memory/900-194-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1700-253-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/900-242-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1032-360-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2972-306-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3040-417-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2352-473-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3040-463-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/324-531-0x00000000026C0000-0x0000000002705000-memory.dmp	upx
behavioral1/memory/1292-530-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2096-589-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2408-646-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1260-703-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1832-754-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1872-804-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/468-858-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2684-912-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1056-965-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2684-918-0x00000000003B0000-0x00000000003F5000-memory.dmp	upx
behavioral1/memory/1924-1015-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/352-1068-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/904-1122-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 1936 set thread context of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 set thread context of 2456	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	35
PID 2944 set thread context of 1516	2944	explorer.exe	39
PID 1516 set thread context of 324	1516	explorer.exe	40
PID 1516 set thread context of 1560	1516	explorer.exe	41
PID 900 set thread context of 2964	900	spoolsv.exe	45
PID 1700 set thread context of 2876	1700	spoolsv.exe	49
PID 2972 set thread context of 872	2972	spoolsv.exe	52
PID 1032 set thread context of 1972	1032	spoolsv.exe	56
PID 3040 set thread context of 2188	3040	spoolsv.exe	60
PID 2352 set thread context of 400	2352	spoolsv.exe	64
PID 1292 set thread context of 1604	1292	spoolsv.exe	68
PID 2096 set thread context of 2640	2096	spoolsv.exe	72
PID 2408 set thread context of 2380	2408	spoolsv.exe	76
PID 1260 set thread context of 1772	1260	spoolsv.exe	80
PID 1832 set thread context of 1764	1832	spoolsv.exe	84
PID 1872 set thread context of 1164	1872	spoolsv.exe	88
PID 468 set thread context of 1752	468	spoolsv.exe	92
PID 2684 set thread context of 1996	2684	spoolsv.exe	96
PID 1056 set thread context of 1812	1056	spoolsv.exe	100
PID 1924 set thread context of 844	1924	spoolsv.exe	104
PID 352 set thread context of 2312	352	spoolsv.exe	108
PID 904 set thread context of 2020	904	spoolsv.exe	112
PID 2784 set thread context of 2668	2784	spoolsv.exe	116
PID 580 set thread context of 1000	580	spoolsv.exe	120
PID 1280 set thread context of 2360	1280	spoolsv.exe	124
PID 2292 set thread context of 2492	2292	spoolsv.exe	128
PID 1640 set thread context of 2568	1640	spoolsv.exe	132
PID 1596 set thread context of 1572	1596	spoolsv.exe	136
PID 2612 set thread context of 1680	2612	spoolsv.exe	140
PID 2040 set thread context of 2160	2040	spoolsv.exe	144
PID 2944 set thread context of 1828	2944	spoolsv.exe	148
PID 408 set thread context of 2296	408	spoolsv.exe	152
PID 2256 set thread context of 2304	2256	spoolsv.exe	156
PID 2964 set thread context of 2736	2964	spoolsv.exe	160
PID 2964 set thread context of 2556	2964	spoolsv.exe	161
PID 2660 set thread context of 2880	2660	explorer.exe	166
PID 2512 set thread context of 2004	2512	spoolsv.exe	165
PID 2876 set thread context of 572	2876	spoolsv.exe	167
PID 2876 set thread context of 2252	2876	spoolsv.exe	168
PID 872 set thread context of 2800	872	spoolsv.exe	175
PID 872 set thread context of 2656	872	spoolsv.exe	176
PID 2148 set thread context of 2156	2148	spoolsv.exe	177
PID 752 set thread context of 1456	752	explorer.exe	181
PID 1820 set thread context of 2392	1820	spoolsv.exe	182
PID 1972 set thread context of 1036	1972	spoolsv.exe	183
PID 1972 set thread context of 2888	1972	spoolsv.exe	184
PID 3032 set thread context of 2664	3032	spoolsv.exe	188
PID 2188 set thread context of 1280	2188	spoolsv.exe	189
PID 2188 set thread context of 1272	2188	spoolsv.exe	190
PID 400 set thread context of 2488	400	spoolsv.exe	197
PID 400 set thread context of 816	400	spoolsv.exe	198
PID 2948 set thread context of 352	2948	explorer.exe	200
PID 1604 set thread context of 680	1604	spoolsv.exe	201
PID 2840 set thread context of 1832	2840	spoolsv.exe	199
PID 1604 set thread context of 2688	1604	spoolsv.exe	202
PID 556 set thread context of 1100	556	explorer.exe	209
PID 2184 set thread context of 476	2184	spoolsv.exe	210
PID 2640 set thread context of 2476	2640	spoolsv.exe	211
PID 2640 set thread context of 2272	2640	spoolsv.exe	212
PID 2380 set thread context of 2196	2380	spoolsv.exe	215
PID 2380 set thread context of 1348	2380	spoolsv.exe	217
PID 2724 set thread context of 2096	2724	spoolsv.exe	218

Drops file in Windows directory 47 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
2564	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
2944	explorer.exe
900	spoolsv.exe
324	explorer.exe
324	explorer.exe
1700	spoolsv.exe
324	explorer.exe
2972	spoolsv.exe
324	explorer.exe
1032	spoolsv.exe
324	explorer.exe
3040	spoolsv.exe
324	explorer.exe
2352	spoolsv.exe
324	explorer.exe
1292	spoolsv.exe
324	explorer.exe
2096	spoolsv.exe
324	explorer.exe
2408	spoolsv.exe
324	explorer.exe
1260	spoolsv.exe
324	explorer.exe
1832	spoolsv.exe
324	explorer.exe
1872	spoolsv.exe
324	explorer.exe
468	spoolsv.exe
324	explorer.exe
2684	spoolsv.exe
324	explorer.exe
1056	spoolsv.exe
324	explorer.exe
1924	spoolsv.exe
324	explorer.exe
352	spoolsv.exe
324	explorer.exe
904	spoolsv.exe
324	explorer.exe
2784	spoolsv.exe
324	explorer.exe
580	spoolsv.exe
324	explorer.exe
1280	spoolsv.exe
324	explorer.exe
2292	spoolsv.exe
324	explorer.exe
1640	spoolsv.exe
324	explorer.exe
1596	spoolsv.exe
324	explorer.exe
2612	spoolsv.exe
324	explorer.exe
2040	spoolsv.exe
324	explorer.exe
2944	spoolsv.exe
324	explorer.exe
408	spoolsv.exe
324	explorer.exe
2256	spoolsv.exe
324	explorer.exe
2512	spoolsv.exe
2660	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
2564	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
2564	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
2944	explorer.exe
2944	explorer.exe
324	explorer.exe
324	explorer.exe
900	spoolsv.exe
900	spoolsv.exe
324	explorer.exe
324	explorer.exe
1700	spoolsv.exe
1700	spoolsv.exe
2972	spoolsv.exe
2972	spoolsv.exe
1032	spoolsv.exe
1032	spoolsv.exe
3040	spoolsv.exe
3040	spoolsv.exe
2352	spoolsv.exe
2352	spoolsv.exe
1292	spoolsv.exe
1292	spoolsv.exe
2096	spoolsv.exe
2096	spoolsv.exe
2408	spoolsv.exe
2408	spoolsv.exe
1260	spoolsv.exe
1260	spoolsv.exe
1832	spoolsv.exe
1832	spoolsv.exe
1872	spoolsv.exe
1872	spoolsv.exe
468	spoolsv.exe
468	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe
1056	spoolsv.exe
1056	spoolsv.exe
1924	spoolsv.exe
1924	spoolsv.exe
352	spoolsv.exe
352	spoolsv.exe
904	spoolsv.exe
904	spoolsv.exe
2784	spoolsv.exe
2784	spoolsv.exe
580	spoolsv.exe
580	spoolsv.exe
1280	spoolsv.exe
1280	spoolsv.exe
2292	spoolsv.exe
2292	spoolsv.exe
1640	spoolsv.exe
1640	spoolsv.exe
1596	spoolsv.exe
1596	spoolsv.exe
2612	spoolsv.exe
2612	spoolsv.exe
2040	spoolsv.exe
2040	spoolsv.exe
2944	spoolsv.exe
2944	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2852	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2852	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2852	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2852	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	30
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1936	2884	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	32
PID 1936 wrote to memory of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2564	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2456	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	35
PID 1936 wrote to memory of 2456	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	35
PID 1936 wrote to memory of 2456	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	35
PID 1936 wrote to memory of 2456	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	35
PID 1936 wrote to memory of 2456	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	35
PID 1936 wrote to memory of 2456	1936	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	35
PID 2564 wrote to memory of 2944	2564	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	36
PID 2564 wrote to memory of 2944	2564	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	36
PID 2564 wrote to memory of 2944	2564	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	36
PID 2564 wrote to memory of 2944	2564	c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe	36
PID 2944 wrote to memory of 2252	2944	explorer.exe	37
PID 2944 wrote to memory of 2252	2944	explorer.exe	37
PID 2944 wrote to memory of 2252	2944	explorer.exe	37
PID 2944 wrote to memory of 2252	2944	explorer.exe	37
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39
PID 2944 wrote to memory of 1516	2944	explorer.exe	39

C:\Users\Admin\AppData\Local\Temp\c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\c7c487898de848c5e11c8fc5f946dcb7_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2252
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1516
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        Executes dropped EXE
        
        PID:2736
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:2612
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2740
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2656
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:924
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:400
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:816
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2768
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:680
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        
        PID:2700
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2688
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2348
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2380
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1348
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3048
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Drops file in Windows directory
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        
        PID:2504
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2260
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1156
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1164
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1596
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1752
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1812
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:844
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2020
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1000
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2464
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2628
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2160
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:804
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1828
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2296
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2304
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2044
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2392
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2664
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2388
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2236
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2208
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2096
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1336
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3040
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1560
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.7MB

MD5
c7c487898de848c5e11c8fc5f946dcb7

SHA1
cbc0283d5aedf0622e1dad21b65938a69f7ae050

SHA256
1d57ebf6340c18bcf867f9890d01b99890e692d7cc2116a790800ac9fde89dac

SHA512
be48742991dbce68dd61820f7a77a1d29bba26313bdbecaf34633b48cbb34f631e2a340804b9261f1422cd2dfb9f5cf93171a7ce783acc0fcb49c52696d02f5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
\Windows\system\explorer.exe

Filesize
2.7MB

MD5
2b53d1a23bf3e320b160fd14b498affe

SHA1
e8d649776945befff414b07c9d2c9338d00c1595

SHA256
e00cbd52abfbe8a2e251105e102b19b1d62eef7ec67e8d86e807efbd9a8d28d2

SHA512
e556d683a4b137eb9fe405c226677278818ea3e009ff643f3f89320ac769399258d181c0fb7d0fae1d506b1aed3038934b900dcebd5ed0daff98a93afe27429a

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.7MB

MD5
302aa2f54d9be846caea6c4290b5e9a5

SHA1
4bbec02ca694a3cef14aaf620076f20ac02bcc44

SHA256
7c08c823178232b42d4a7e1c5a52481a15ca844f99434a2eb50d8c1b32aae4f6

SHA512
67495a355c70668dbd09d59b5cf19f8c98b146fb93e7e6793e27809ece4bcbf8907fe578388b069f94c19dc807a9834c8ad9b21165dde9e66b491aff8c05e7a0

Download Submit
memory/324-474-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-1121-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-359-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-354-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-1067-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-1066-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-416-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-1065-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-1013-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-415-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-917-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-963-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-252-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-1173-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-911-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-908-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-192-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-856-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-857-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/324-855-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-305-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-802-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-752-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-708-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-697-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-531-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-1118-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-1120-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-645-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-702-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/324-588-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/352-1068-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/352-1073-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/400-526-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/468-863-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/468-858-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/844-1063-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/872-355-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/900-242-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/900-194-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/904-1136-0x00000000004F0000-0x0000000000535000-memory.dmp

Filesize
276KB

Download
memory/904-1122-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1032-360-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1032-367-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/1056-969-0x0000000000290000-0x00000000002D5000-memory.dmp

Filesize
276KB

Download
memory/1056-965-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1164-854-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1260-709-0x0000000001D70000-0x0000000001DB5000-memory.dmp

Filesize
276KB

Download
memory/1260-703-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1292-530-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1292-539-0x0000000000530000-0x0000000000575000-memory.dmp

Filesize
276KB

Download
memory/1516-149-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1516-696-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1604-583-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1700-253-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1752-909-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1764-803-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1772-753-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1812-1014-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1832-754-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1832-758-0x0000000001C70000-0x0000000001CB5000-memory.dmp

Filesize
276KB

Download
memory/1872-809-0x0000000001E20000-0x0000000001E65000-memory.dmp

Filesize
276KB

Download
memory/1872-804-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1924-1015-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1936-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-36-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-2-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1936-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1936-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-87-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1936-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-50-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1936-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1936-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1936-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1936-49-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1936-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1936-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1972-411-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1996-964-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2096-596-0x0000000000380000-0x00000000003C5000-memory.dmp

Filesize
276KB

Download
memory/2096-589-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2188-469-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2312-1119-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2352-473-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2352-481-0x0000000000560000-0x00000000005A5000-memory.dmp

Filesize
276KB

Download
memory/2380-698-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2408-646-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2456-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2456-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2564-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-95-0x0000000002450000-0x0000000002495000-memory.dmp

Filesize
276KB

Download
memory/2564-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-94-0x0000000002450000-0x0000000002495000-memory.dmp

Filesize
276KB

Download
memory/2564-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-641-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2684-912-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2684-918-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2876-296-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2884-41-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2884-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2944-97-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2944-147-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2964-244-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2972-306-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-424-0x0000000001CC0000-0x0000000001D05000-memory.dmp

Filesize
276KB

Download
memory/3040-417-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-463-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download