Analysis
-
max time kernel
84s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 08:21
Behavioral task
behavioral1
Sample
a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
a8b603770d5124daf70c7e229789d759
-
SHA1
4230dfeb07c88708256c2a28cbf5b7167ea7281b
-
SHA256
75272f7680d8957eb8db04678c9ffa3768693783d4d812dcae6efdd7fc0c0099
-
SHA512
fe3e0cbf96713bce9fb2e57eac35559dcee3d2510c596bdc5ac73d301c388b44b066cae02ec7a09d921eb610419003e2a46729c168c743474cf7659110c1ad90
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlD:86SIROiFJiwp0xlrlD
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8b603770d5124daf70c7e229789d759_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2936 explorer.exe 568 explorer.exe 1968 explorer.exe 2184 spoolsv.exe 1720 spoolsv.exe 1440 spoolsv.exe 1424 spoolsv.exe 556 spoolsv.exe 3060 spoolsv.exe 1004 spoolsv.exe 2140 spoolsv.exe 1764 spoolsv.exe 2924 spoolsv.exe 2960 spoolsv.exe 3016 spoolsv.exe 2640 spoolsv.exe 2904 spoolsv.exe 820 spoolsv.exe 1520 spoolsv.exe 316 spoolsv.exe 2768 spoolsv.exe 784 spoolsv.exe 1936 spoolsv.exe 2148 spoolsv.exe 2280 spoolsv.exe 472 spoolsv.exe 580 spoolsv.exe 1836 spoolsv.exe 768 spoolsv.exe 1604 spoolsv.exe 2352 spoolsv.exe 2932 spoolsv.exe 2980 spoolsv.exe 984 spoolsv.exe 2472 spoolsv.exe 2412 spoolsv.exe 2884 spoolsv.exe 1540 spoolsv.exe 836 spoolsv.exe 1624 spoolsv.exe 1324 spoolsv.exe 752 spoolsv.exe 1708 spoolsv.exe 2948 spoolsv.exe 1628 spoolsv.exe 1696 spoolsv.exe 3064 spoolsv.exe 2532 spoolsv.exe 2944 spoolsv.exe 2696 spoolsv.exe 2784 spoolsv.exe 1036 spoolsv.exe 2380 spoolsv.exe 616 spoolsv.exe 1328 spoolsv.exe 2232 spoolsv.exe 624 spoolsv.exe 2320 spoolsv.exe 864 spoolsv.exe 2520 spoolsv.exe 2936 spoolsv.exe 2672 spoolsv.exe 1820 spoolsv.exe 2420 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a8b603770d5124daf70c7e229789d759_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2644 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe 2644 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe 1968 explorer.exe 1968 explorer.exe 2184 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 1440 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 556 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 1004 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 1764 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 2960 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 2640 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 820 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 316 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 784 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 2148 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 472 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 1836 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 1604 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 2932 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 984 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 2412 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 1540 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 1624 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 752 spoolsv.exe 1968 explorer.exe 1968 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
a8b603770d5124daf70c7e229789d759_JaffaCakes118.exea8b603770d5124daf70c7e229789d759_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 2912 set thread context of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2068 set thread context of 2644 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2936 set thread context of 568 2936 explorer.exe explorer.exe PID 568 set thread context of 1968 568 explorer.exe explorer.exe PID 2184 set thread context of 1720 2184 spoolsv.exe spoolsv.exe PID 1440 set thread context of 1424 1440 spoolsv.exe spoolsv.exe PID 556 set thread context of 3060 556 spoolsv.exe spoolsv.exe PID 1004 set thread context of 2140 1004 spoolsv.exe spoolsv.exe PID 1764 set thread context of 2924 1764 spoolsv.exe spoolsv.exe PID 2960 set thread context of 3016 2960 spoolsv.exe spoolsv.exe PID 2640 set thread context of 2904 2640 spoolsv.exe spoolsv.exe PID 820 set thread context of 1520 820 spoolsv.exe spoolsv.exe PID 316 set thread context of 2768 316 spoolsv.exe spoolsv.exe PID 784 set thread context of 1936 784 spoolsv.exe spoolsv.exe PID 2148 set thread context of 2280 2148 spoolsv.exe spoolsv.exe PID 472 set thread context of 580 472 spoolsv.exe spoolsv.exe PID 1836 set thread context of 768 1836 spoolsv.exe spoolsv.exe PID 1604 set thread context of 2352 1604 spoolsv.exe spoolsv.exe PID 2932 set thread context of 2980 2932 spoolsv.exe spoolsv.exe PID 984 set thread context of 2472 984 spoolsv.exe spoolsv.exe PID 2412 set thread context of 2884 2412 spoolsv.exe spoolsv.exe PID 1540 set thread context of 836 1540 spoolsv.exe spoolsv.exe PID 1624 set thread context of 1324 1624 spoolsv.exe spoolsv.exe PID 752 set thread context of 1708 752 spoolsv.exe spoolsv.exe PID 2948 set thread context of 1628 2948 spoolsv.exe spoolsv.exe PID 1696 set thread context of 3064 1696 spoolsv.exe spoolsv.exe PID 2532 set thread context of 2944 2532 spoolsv.exe spoolsv.exe PID 2696 set thread context of 2784 2696 spoolsv.exe spoolsv.exe PID 1036 set thread context of 2380 1036 spoolsv.exe spoolsv.exe PID 616 set thread context of 1328 616 spoolsv.exe spoolsv.exe PID 2232 set thread context of 624 2232 spoolsv.exe spoolsv.exe PID 2320 set thread context of 864 2320 spoolsv.exe spoolsv.exe PID 2520 set thread context of 2936 2520 spoolsv.exe spoolsv.exe PID 2672 set thread context of 1820 2672 spoolsv.exe spoolsv.exe PID 2420 set thread context of 2264 2420 spoolsv.exe spoolsv.exe PID 876 set thread context of 1836 876 spoolsv.exe spoolsv.exe PID 1028 set thread context of 1716 1028 spoolsv.exe spoolsv.exe PID 1916 set thread context of 2920 1916 spoolsv.exe spoolsv.exe PID 2888 set thread context of 3052 2888 spoolsv.exe spoolsv.exe PID 2640 set thread context of 2180 2640 spoolsv.exe spoolsv.exe PID 1212 set thread context of 2260 1212 spoolsv.exe spoolsv.exe PID 876 set thread context of 2964 876 spoolsv.exe spoolsv.exe PID 1744 set thread context of 2604 1744 spoolsv.exe spoolsv.exe PID 2492 set thread context of 2548 2492 spoolsv.exe spoolsv.exe PID 2564 set thread context of 2416 2564 spoolsv.exe spoolsv.exe PID 2824 set thread context of 1336 2824 spoolsv.exe spoolsv.exe PID 2232 set thread context of 2248 2232 spoolsv.exe spoolsv.exe PID 1748 set thread context of 1696 1748 spoolsv.exe spoolsv.exe PID 1008 set thread context of 2188 1008 spoolsv.exe spoolsv.exe PID 744 set thread context of 1380 744 spoolsv.exe spoolsv.exe PID 1284 set thread context of 2364 1284 spoolsv.exe spoolsv.exe PID 1556 set thread context of 2164 1556 spoolsv.exe spoolsv.exe PID 2900 set thread context of 1488 2900 spoolsv.exe spoolsv.exe PID 2684 set thread context of 2444 2684 spoolsv.exe spoolsv.exe PID 1988 set thread context of 1676 1988 spoolsv.exe spoolsv.exe PID 1268 set thread context of 1616 1268 spoolsv.exe spoolsv.exe PID 1540 set thread context of 2824 1540 spoolsv.exe spoolsv.exe PID 2320 set thread context of 2656 2320 spoolsv.exe spoolsv.exe PID 1804 set thread context of 1604 1804 spoolsv.exe spoolsv.exe PID 1152 set thread context of 740 1152 spoolsv.exe spoolsv.exe PID 2480 set thread context of 2588 2480 spoolsv.exe spoolsv.exe PID 2376 set thread context of 1248 2376 spoolsv.exe spoolsv.exe PID 3012 set thread context of 1304 3012 spoolsv.exe spoolsv.exe PID 2848 set thread context of 2684 2848 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8b603770d5124daf70c7e229789d759_JaffaCakes118.exeexplorer.exepid process 2644 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1968 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8b603770d5124daf70c7e229789d759_JaffaCakes118.exea8b603770d5124daf70c7e229789d759_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe 2644 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe 2644 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe 2936 explorer.exe 1968 explorer.exe 1968 explorer.exe 2184 spoolsv.exe 1968 explorer.exe 1968 explorer.exe 1440 spoolsv.exe 556 spoolsv.exe 1004 spoolsv.exe 1764 spoolsv.exe 2960 spoolsv.exe 2640 spoolsv.exe 820 spoolsv.exe 316 spoolsv.exe 784 spoolsv.exe 2148 spoolsv.exe 472 spoolsv.exe 1836 spoolsv.exe 1604 spoolsv.exe 2932 spoolsv.exe 984 spoolsv.exe 2412 spoolsv.exe 1540 spoolsv.exe 1624 spoolsv.exe 752 spoolsv.exe 2948 spoolsv.exe 1696 spoolsv.exe 2532 spoolsv.exe 2696 spoolsv.exe 1036 spoolsv.exe 616 spoolsv.exe 2232 spoolsv.exe 2320 spoolsv.exe 2520 spoolsv.exe 2672 spoolsv.exe 2420 spoolsv.exe 876 spoolsv.exe 1028 spoolsv.exe 1916 spoolsv.exe 2888 spoolsv.exe 2640 spoolsv.exe 1212 spoolsv.exe 876 spoolsv.exe 1744 spoolsv.exe 2492 spoolsv.exe 2564 spoolsv.exe 2824 spoolsv.exe 2232 spoolsv.exe 1748 spoolsv.exe 1008 spoolsv.exe 744 spoolsv.exe 1284 spoolsv.exe 1556 spoolsv.exe 2900 spoolsv.exe 2684 spoolsv.exe 1988 spoolsv.exe 1268 spoolsv.exe 1540 spoolsv.exe 2320 spoolsv.exe 1804 spoolsv.exe 1152 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8b603770d5124daf70c7e229789d759_JaffaCakes118.exea8b603770d5124daf70c7e229789d759_JaffaCakes118.exea8b603770d5124daf70c7e229789d759_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exedescription pid process target process PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2912 wrote to memory of 2068 2912 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2068 wrote to memory of 2216 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe splwow64.exe PID 2068 wrote to memory of 2216 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe splwow64.exe PID 2068 wrote to memory of 2216 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe splwow64.exe PID 2068 wrote to memory of 2216 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe splwow64.exe PID 2068 wrote to memory of 2644 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2068 wrote to memory of 2644 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2068 wrote to memory of 2644 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2068 wrote to memory of 2644 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2068 wrote to memory of 2644 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2068 wrote to memory of 2644 2068 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe PID 2644 wrote to memory of 2936 2644 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe explorer.exe PID 2644 wrote to memory of 2936 2644 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe explorer.exe PID 2644 wrote to memory of 2936 2644 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe explorer.exe PID 2644 wrote to memory of 2936 2644 a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 2936 wrote to memory of 568 2936 explorer.exe explorer.exe PID 568 wrote to memory of 1968 568 explorer.exe explorer.exe PID 568 wrote to memory of 1968 568 explorer.exe explorer.exe PID 568 wrote to memory of 1968 568 explorer.exe explorer.exe PID 568 wrote to memory of 1968 568 explorer.exe explorer.exe PID 568 wrote to memory of 1968 568 explorer.exe explorer.exe PID 568 wrote to memory of 1968 568 explorer.exe explorer.exe PID 1968 wrote to memory of 2184 1968 explorer.exe spoolsv.exe PID 1968 wrote to memory of 2184 1968 explorer.exe spoolsv.exe PID 1968 wrote to memory of 2184 1968 explorer.exe spoolsv.exe PID 1968 wrote to memory of 2184 1968 explorer.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe PID 2184 wrote to memory of 1720 2184 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Users\Admin\AppData\Local\Temp\a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8b603770d5124daf70c7e229789d759_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUDFilesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
\Windows\system\explorer.exeFilesize
2.6MB
MD5cfeb3af4b439dfbbbe52c602619a9a4a
SHA14ddd96af2adc5936e4bc356fd87082952521cad0
SHA25603a0ba42b14ee4ab1d6535b4012075dcde98f0cbbf735b45f902def48050b398
SHA51288fbc0f03469c2f4c8d8c97160f5be4b32e7f1810676c2ad68eac53dbcfe529e611e19ecb388f9b9599141f9485530c1b11ae38c3eb82ea8e368a71dd018ccef
-
\Windows\system\spoolsv.exeFilesize
2.6MB
MD598072126b36313b1c3eabb46ab45a816
SHA15348053bcb4644f1143ea05cc75e930c958aefda
SHA256f12cdc0bf2acd4af1dae7b4c60dc8b74cb8c75c7e7efa12f32af991a212387b4
SHA51203992d36284f3f3549e8489b6b52d7fe3e1a7926801f7e0d746f4d834cf5162f70c75e0d47579818c6ee67485053df21c0d6297d8959d05e9ac603d1e2a25012
-
memory/568-89-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/568-78-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/568-58-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1092-3672-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1720-108-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1808-3858-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1968-602-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2068-7-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2068-37-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2068-24-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2068-6-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2068-4-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2068-5-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2068-3-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2232-3444-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2232-3448-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2644-36-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2644-26-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2644-30-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2644-61-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2644-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2912-2-0x0000000000407000-0x0000000000408000-memory.dmpFilesize
4KB
-
memory/2936-57-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2936-53-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3112-3396-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3228-3963-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3412-3440-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3540-3532-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3544-3628-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3560-4047-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3628-3568-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3984-3486-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4356-3847-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4468-3715-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4528-3687-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5044-3823-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5056-3768-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB