warzonerat | 91a32fbe057b6c00b7e39d8c414445687056e5f8ea305a18b8e0aaa4d6c87237

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
Size

1.8MB
MD5

03f1712eceb8209e552364250b745bf4
SHA1

bca73bbbb6241f4852656abd98d15a340bb8f5f9
SHA256

91a32fbe057b6c00b7e39d8c414445687056e5f8ea305a18b8e0aaa4d6c87237
SHA512

2ee7db67438e8f56ab295ffdd3a236a567d0cdce9ee8d4217b2f871bf9e5076ed41c36ebc1da29bb492021b291e4eec6b5f2f3a249eb40bc0227acf3238a77e6
SSDEEP

12288:p99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN/A7W2FeDSIGVH/KIDgs:r1gg4CppEI6GGfWDkCQDbGV6eH81kr

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2544	explorer.exe
2332	explorer.exe
1440	spoolsv.exe
1932	spoolsv.exe
1628	spoolsv.exe
2276	spoolsv.exe
552	spoolsv.exe
980	spoolsv.exe
3044	spoolsv.exe
1160	spoolsv.exe
1308	spoolsv.exe
956	spoolsv.exe
1492	spoolsv.exe
1736	spoolsv.exe
2272	spoolsv.exe
1732	spoolsv.exe
880	spoolsv.exe
1692	spoolsv.exe
1344	spoolsv.exe
2844	spoolsv.exe
2672	spoolsv.exe
2640	spoolsv.exe
2756	spoolsv.exe
2964	spoolsv.exe
2424	spoolsv.exe
3052	spoolsv.exe
2120	spoolsv.exe
884	spoolsv.exe
840	spoolsv.exe
1184	spoolsv.exe
2740	spoolsv.exe
1904	spoolsv.exe
3064	spoolsv.exe
1648	spoolsv.exe
1740	spoolsv.exe
1540	spoolsv.exe
1204	spoolsv.exe
2016	spoolsv.exe
2000	spoolsv.exe
3032	spoolsv.exe
1924	spoolsv.exe
2116	spoolsv.exe
388	spoolsv.exe
2268	spoolsv.exe
2804	spoolsv.exe
2944	spoolsv.exe
1064	spoolsv.exe
2252	spoolsv.exe
648	spoolsv.exe
672	spoolsv.exe
1536	spoolsv.exe
1500	spoolsv.exe
1092	spoolsv.exe
2968	spoolsv.exe
624	spoolsv.exe
1424	spoolsv.exe
2216	spoolsv.exe
3008	spoolsv.exe
2720	spoolsv.exe
2188	spoolsv.exe
2056	spoolsv.exe
1612	spoolsv.exe
1844	spoolsv.exe
2840	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

03f1712eceb8209e552364250b745bf4_JaffaCakes118.exeexplorer.exe

pid	process
2548	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
2548	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe

Suspicious use of SetThreadContext 56 IoCs

Processes:

03f1712eceb8209e552364250b745bf4_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2508 set thread context of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 set thread context of 2748	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	diskperf.exe
PID 2544 set thread context of 2332	2544	explorer.exe	explorer.exe
PID 2544 set thread context of 1964	2544	explorer.exe	diskperf.exe
PID 1440 set thread context of 3144	1440	spoolsv.exe	spoolsv.exe
PID 1440 set thread context of 3204	1440	spoolsv.exe	diskperf.exe
PID 1932 set thread context of 3324	1932	spoolsv.exe	spoolsv.exe
PID 1932 set thread context of 3380	1932	spoolsv.exe	diskperf.exe
PID 1628 set thread context of 3452	1628	spoolsv.exe	spoolsv.exe
PID 1628 set thread context of 3508	1628	spoolsv.exe	diskperf.exe
PID 2276 set thread context of 3584	2276	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 3636	2276	spoolsv.exe	diskperf.exe
PID 552 set thread context of 3708	552	spoolsv.exe	spoolsv.exe
PID 552 set thread context of 3760	552	spoolsv.exe	diskperf.exe
PID 980 set thread context of 3836	980	spoolsv.exe	spoolsv.exe
PID 980 set thread context of 3892	980	spoolsv.exe	diskperf.exe
PID 3044 set thread context of 3964	3044	spoolsv.exe	spoolsv.exe
PID 3044 set thread context of 4016	3044	spoolsv.exe	diskperf.exe
PID 1160 set thread context of 4088	1160	spoolsv.exe	spoolsv.exe
PID 1160 set thread context of 3124	1160	spoolsv.exe	diskperf.exe
PID 1308 set thread context of 3160	1308	spoolsv.exe	spoolsv.exe
PID 1308 set thread context of 3308	1308	spoolsv.exe	diskperf.exe
PID 956 set thread context of 3332	956	spoolsv.exe	spoolsv.exe
PID 956 set thread context of 3440	956	spoolsv.exe	diskperf.exe
PID 1492 set thread context of 3484	1492	spoolsv.exe	spoolsv.exe
PID 1492 set thread context of 3656	1492	spoolsv.exe	diskperf.exe
PID 1736 set thread context of 3620	1736	spoolsv.exe	spoolsv.exe
PID 1736 set thread context of 3784	1736	spoolsv.exe	diskperf.exe
PID 2272 set thread context of 3748	2272	spoolsv.exe	spoolsv.exe
PID 2272 set thread context of 3924	2272	spoolsv.exe	diskperf.exe
PID 1732 set thread context of 3956	1732	spoolsv.exe	spoolsv.exe
PID 1732 set thread context of 4040	1732	spoolsv.exe	diskperf.exe
PID 880 set thread context of 3212	880	spoolsv.exe	spoolsv.exe
PID 880 set thread context of 3152	880	spoolsv.exe	diskperf.exe
PID 1692 set thread context of 3148	1692	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 3256	1692	spoolsv.exe	diskperf.exe
PID 1344 set thread context of 3520	1344	spoolsv.exe	spoolsv.exe
PID 1344 set thread context of 3368	1344	spoolsv.exe	diskperf.exe
PID 2844 set thread context of 3568	2844	spoolsv.exe	spoolsv.exe
PID 2844 set thread context of 3608	2844	spoolsv.exe	diskperf.exe
PID 2672 set thread context of 3804	2672	spoolsv.exe	spoolsv.exe
PID 2672 set thread context of 1700	2672	spoolsv.exe	diskperf.exe
PID 2640 set thread context of 3908	2640	spoolsv.exe	spoolsv.exe
PID 2640 set thread context of 432	2640	spoolsv.exe	diskperf.exe
PID 2756 set thread context of 4080	2756	spoolsv.exe	spoolsv.exe
PID 2756 set thread context of 3216	2756	spoolsv.exe	diskperf.exe
PID 2964 set thread context of 3284	2964	spoolsv.exe	spoolsv.exe
PID 2964 set thread context of 3164	2964	spoolsv.exe	diskperf.exe
PID 2424 set thread context of 2788	2424	spoolsv.exe	spoolsv.exe
PID 2424 set thread context of 3528	2424	spoolsv.exe	diskperf.exe
PID 3052 set thread context of 3632	3052	spoolsv.exe	spoolsv.exe
PID 2120 set thread context of 3576	2120	spoolsv.exe	spoolsv.exe
PID 3052 set thread context of 3780	3052	spoolsv.exe	diskperf.exe
PID 2120 set thread context of 3844	2120	spoolsv.exe	diskperf.exe
PID 884 set thread context of 3992	884	spoolsv.exe	spoolsv.exe
PID 884 set thread context of 3948	884	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

03f1712eceb8209e552364250b745bf4_JaffaCakes118.exeexplorer.exe

pid	process
2548	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2332 explorer.exe

pid	process
2332	explorer.exe

Suspicious use of SetWindowsHookEx 58 IoCs

Processes:

pid	process
2548	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
2548	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
3144	spoolsv.exe
3144	spoolsv.exe
3324	spoolsv.exe
3324	spoolsv.exe
3452	spoolsv.exe
3452	spoolsv.exe
3584	spoolsv.exe
3584	spoolsv.exe
3708	spoolsv.exe
3708	spoolsv.exe
3836	spoolsv.exe
3836	spoolsv.exe
3964	spoolsv.exe
3964	spoolsv.exe
4088	spoolsv.exe
4088	spoolsv.exe
3160	spoolsv.exe
3160	spoolsv.exe
3332	spoolsv.exe
3332	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
3620	spoolsv.exe
3620	spoolsv.exe
3748	spoolsv.exe
3748	spoolsv.exe
3956	spoolsv.exe
3956	spoolsv.exe
3212	spoolsv.exe
3212	spoolsv.exe
3148	spoolsv.exe
3148	spoolsv.exe
3520	spoolsv.exe
3520	spoolsv.exe
3568	spoolsv.exe
3568	spoolsv.exe
3804	spoolsv.exe
3804	spoolsv.exe
3908	spoolsv.exe
3908	spoolsv.exe
4080	spoolsv.exe
4080	spoolsv.exe
3284	spoolsv.exe
3284	spoolsv.exe
2788	spoolsv.exe
2788	spoolsv.exe
3632	spoolsv.exe
3632	spoolsv.exe
3576	spoolsv.exe
3576	spoolsv.exe
3992	spoolsv.exe
3992	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe03f1712eceb8209e552364250b745bf4_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2508 wrote to memory of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 wrote to memory of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 wrote to memory of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 wrote to memory of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 wrote to memory of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 wrote to memory of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 wrote to memory of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 wrote to memory of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 wrote to memory of 2548	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
PID 2508 wrote to memory of 2748	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	diskperf.exe
PID 2508 wrote to memory of 2748	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	diskperf.exe
PID 2508 wrote to memory of 2748	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	diskperf.exe
PID 2508 wrote to memory of 2748	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	diskperf.exe
PID 2508 wrote to memory of 2748	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	diskperf.exe
PID 2508 wrote to memory of 2748	2508	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	diskperf.exe
PID 2548 wrote to memory of 2544	2548	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	explorer.exe
PID 2548 wrote to memory of 2544	2548	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	explorer.exe
PID 2548 wrote to memory of 2544	2548	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	explorer.exe
PID 2548 wrote to memory of 2544	2548	03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe	explorer.exe
PID 2544 wrote to memory of 2332	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 2332	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 2332	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 2332	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 2332	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 2332	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 2332	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 2332	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 2332	2544	explorer.exe	explorer.exe
PID 2544 wrote to memory of 1964	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1964	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1964	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1964	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1964	2544	explorer.exe	diskperf.exe
PID 2544 wrote to memory of 1964	2544	explorer.exe	diskperf.exe
PID 2332 wrote to memory of 1440	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1440	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1440	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1440	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1932	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1932	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1932	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1932	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1628	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1628	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1628	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1628	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 2276	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 2276	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 2276	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 2276	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 552	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 552	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 552	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 552	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 980	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 980	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 980	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 980	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 3044	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 3044	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 3044	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 3044	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1160	2332	explorer.exe	spoolsv.exe
PID 2332 wrote to memory of 1160	2332	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03f1712eceb8209e552364250b745bf4_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3144

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3324

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3452

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3708

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3836

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4088

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3160

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3388

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3332

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3612

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3620

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3876

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3172

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3520

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3568

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3804

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3908

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4080

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3284

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3200

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2788

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3632

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3108

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3396

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1928

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3904

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3996

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3404

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3492

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1384

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1636

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:572

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2852

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3336

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3952

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3272

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
1.8MB

MD5
03f1712eceb8209e552364250b745bf4

SHA1
bca73bbbb6241f4852656abd98d15a340bb8f5f9

SHA256
91a32fbe057b6c00b7e39d8c414445687056e5f8ea305a18b8e0aaa4d6c87237

SHA512
2ee7db67438e8f56ab295ffdd3a236a567d0cdce9ee8d4217b2f871bf9e5076ed41c36ebc1da29bb492021b291e4eec6b5f2f3a249eb40bc0227acf3238a77e6

Download Submit
C:\Windows\system\explorer.exe

Filesize
1.8MB

MD5
a8e80b3ea92cafde4b5d33fe5fc78b45

SHA1
baf5cb32cb8cab05fe59fdbdee52c861c83262c2

SHA256
0b166bd6461684dc1327b9ec349e2e78d9e97b85343abb438a48318b00b1b0f7

SHA512
1e51c00a549260a7f710cafe7c415d599c66039897e6682e210f361f98d2f6724f98ff49599df4e64c379d119aed06a88d28463b085aa41474f5706b4b9af164

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.8MB

MD5
e73bf0e0edbeb53dd543ba6d68777f2e

SHA1
623dcd80875e8fcee072674890e366ef6febddff

SHA256
5e48188604672fc3c16f14a4edcbf81e848d488d7da32f1607bcdcb903fe7699

SHA512
86fabd2db18d343ecfd2d65970128ba733ffd6c9065878895e4e4237b81785a7efba8a93b044bce4a83870d5c5e36b1718085b7f3f15dcb13735bea5ba86cf16

Download Submit
memory/552-202-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/552-129-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/840-347-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/880-236-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/884-340-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/956-269-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/956-184-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/980-141-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1160-247-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1160-163-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1184-355-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1308-173-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1344-260-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1440-128-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1440-89-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1492-194-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1628-162-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1692-246-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1732-225-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1736-204-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1736-282-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1932-140-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1964-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2120-332-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2272-215-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2276-182-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2332-318-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-214-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-86-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-100-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-99-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-258-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-118-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-354-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-363-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-364-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-366-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-139-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-138-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-365-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-353-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-346-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-161-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-160-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-150-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-339-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-172-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-338-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-183-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-87-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-193-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-331-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-315-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-316-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-213-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-259-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-319-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-224-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-234-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-307-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-235-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-245-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-308-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-306-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-248-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-299-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-297-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-298-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-272-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-270-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-290-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-268-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2332-284-0x0000000002DA0000-0x0000000002EB4000-memory.dmp

Filesize
1.1MB

Download
memory/2424-317-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2508-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2508-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2508-32-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2508-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2508-19-0x0000000002180000-0x0000000002294000-memory.dmp

Filesize
1.1MB

Download
memory/2508-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2544-47-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2544-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2544-48-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2544-44-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2544-45-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2548-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-37-0x0000000003110000-0x0000000003224000-memory.dmp

Filesize
1.1MB

Download
memory/2548-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-43-0x0000000003110000-0x0000000003224000-memory.dmp

Filesize
1.1MB

Download
memory/2640-291-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2672-283-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2748-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2748-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2748-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2748-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2756-300-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2844-273-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2964-309-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3044-154-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3052-325-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3144-1291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3144-1290-0x0000000000440000-0x00000000004A7000-memory.dmp

Filesize
412KB

Download