Analysis
-
max time kernel
146s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 08:48
Behavioral task
behavioral1
Sample
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8ce89f645360a94d3f5047921950625
-
SHA1
6d7b7f1edfc7bf341b3c7830ad4cabf89170c76c
-
SHA256
f10db93e25e680bc4e8a81a3ca8588b1b21ae42f9375ec037d7d832de0f38658
-
SHA512
0b64e340845617b2437ccb6be975665b9089fcadb474b22de1edfbd46522e9a5b32a9a6acb8185f12061a9a08d31d058a407806af8da83074ffd89c1274c14cd
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZH:0UzeyQMS4DqodCnoe+iitjWwwL
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2720 explorer.exe 2188 explorer.exe 2364 spoolsv.exe 1700 spoolsv.exe 3052 spoolsv.exe 2376 spoolsv.exe 1696 spoolsv.exe 1000 spoolsv.exe 2372 spoolsv.exe 2592 spoolsv.exe 2720 spoolsv.exe 2792 spoolsv.exe 1196 spoolsv.exe 712 spoolsv.exe 236 spoolsv.exe 1788 spoolsv.exe 2960 spoolsv.exe 2764 spoolsv.exe 1012 spoolsv.exe 1032 spoolsv.exe 584 spoolsv.exe 2344 spoolsv.exe 940 spoolsv.exe 1644 spoolsv.exe 2436 spoolsv.exe 2512 spoolsv.exe 1904 spoolsv.exe 1212 spoolsv.exe 2180 spoolsv.exe 2996 spoolsv.exe 2992 spoolsv.exe 2304 spoolsv.exe 2500 spoolsv.exe 1276 spoolsv.exe 1796 spoolsv.exe 808 spoolsv.exe 2572 spoolsv.exe 2716 spoolsv.exe 316 spoolsv.exe 2912 spoolsv.exe 1956 spoolsv.exe 1636 spoolsv.exe 2604 spoolsv.exe 1860 spoolsv.exe 484 spoolsv.exe 1804 spoolsv.exe 2768 spoolsv.exe 2648 spoolsv.exe 2884 spoolsv.exe 1712 spoolsv.exe 2796 spoolsv.exe 2600 spoolsv.exe 1588 spoolsv.exe 2380 spoolsv.exe 2528 spoolsv.exe 788 spoolsv.exe 400 spoolsv.exe 2744 spoolsv.exe 328 spoolsv.exe 2964 spoolsv.exe 2456 spoolsv.exe 2952 spoolsv.exe 2284 spoolsv.exe 1008 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exeexplorer.exepid process 2724 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe 2724 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exeexplorer.exedescription pid process target process PID 1960 set thread context of 2724 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 2720 set thread context of 2188 2720 explorer.exe explorer.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8ce89f645360a94d3f5047921950625_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exeexplorer.exepid process 2724 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2188 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exeexplorer.exepid process 2724 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe 2724 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exea8ce89f645360a94d3f5047921950625_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1960 wrote to memory of 1900 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe splwow64.exe PID 1960 wrote to memory of 1900 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe splwow64.exe PID 1960 wrote to memory of 1900 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe splwow64.exe PID 1960 wrote to memory of 1900 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe splwow64.exe PID 1960 wrote to memory of 2724 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 1960 wrote to memory of 2724 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 1960 wrote to memory of 2724 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 1960 wrote to memory of 2724 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 1960 wrote to memory of 2724 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 1960 wrote to memory of 2724 1960 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 2724 wrote to memory of 2720 2724 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe explorer.exe PID 2724 wrote to memory of 2720 2724 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe explorer.exe PID 2724 wrote to memory of 2720 2724 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe explorer.exe PID 2724 wrote to memory of 2720 2724 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe explorer.exe PID 2720 wrote to memory of 2188 2720 explorer.exe explorer.exe PID 2720 wrote to memory of 2188 2720 explorer.exe explorer.exe PID 2720 wrote to memory of 2188 2720 explorer.exe explorer.exe PID 2720 wrote to memory of 2188 2720 explorer.exe explorer.exe PID 2720 wrote to memory of 2188 2720 explorer.exe explorer.exe PID 2720 wrote to memory of 2188 2720 explorer.exe explorer.exe PID 2188 wrote to memory of 2364 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2364 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2364 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2364 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1700 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1700 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1700 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1700 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 3052 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 3052 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 3052 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 3052 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2376 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2376 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2376 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2376 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1696 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1696 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1696 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1696 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1000 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1000 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1000 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1000 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2372 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2372 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2372 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2372 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2592 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2592 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2592 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2592 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2720 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2720 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2720 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2720 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2792 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2792 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2792 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 2792 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1196 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1196 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1196 2188 explorer.exe spoolsv.exe PID 2188 wrote to memory of 1196 2188 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\system\explorer.exeFilesize
2.2MB
MD519031525b650851677beabbbd99397f1
SHA1014b99d38a5b37d23d4bab1327afa2f12082e66c
SHA2567653d3796383424f94c53bec54ad91d26f06c4ff3a4f2344141905ee761d5a7f
SHA51215935563cd8a940c65089206aa3529d2bda01adc138b4e02be9cacbb95d0445d4eb41ceab4a9fd3c62c43218764c0c1fc882bafdc78fb461ccae95c4bfc397f1
-
\Windows\system\spoolsv.exeFilesize
2.2MB
MD545853b3c7e059cd1bee9b76ff9a54a09
SHA178c5895cddaf82be4fa1569d7aafa2cda78512fa
SHA2567188e45613cbdd3fdb5f02101a13bc4a4df07f4d1a904473e9ff16920f723e64
SHA512571e78fdb71ff31ced156b40741a5badbd2c357c1f68bf39f010c79ebcc193388985a7ead20ace9023a71f08cfd73b33cf08e17cbe915824d69867c306cd1851
-
memory/236-3079-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/584-3090-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/712-3078-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/940-3485-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1000-2567-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1012-3088-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1032-3089-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1196-3077-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1212-3495-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1240-5571-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1644-3486-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1696-2566-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1700-2563-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1788-3080-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1904-3494-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1960-0-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1960-29-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1960-19-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1960-17-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2180-3496-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2188-2561-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2304-3499-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2344-3484-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2364-2562-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2372-3073-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2376-2565-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2436-3487-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2512-3488-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2592-3074-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2720-71-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2720-61-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2720-42-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2720-3075-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2724-28-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2724-20-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2724-27-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2724-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2724-50-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2764-3082-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2792-3076-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2960-3081-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2992-3498-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2996-3497-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3052-2564-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4712-5502-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4732-5513-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4732-5518-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5256-5651-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB