6358f71afa7b2ed78b0462f39b2b152a636317953e6a3cddfcb2a9b62558e6d8

Analysis

max time kernel
47s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 15:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe
Size

20KB
MD5

86b33cea3b6b02ed613a1fbfd59daa1e
SHA1

a07e0a22c4a53f152379d0e618621336da08b900
SHA256

6358f71afa7b2ed78b0462f39b2b152a636317953e6a3cddfcb2a9b62558e6d8
SHA512

f1896cefeaa6bf0507adc0a358a3973d13b427dafb61b2be80d81f467a05d5c6fa933fbbcadf75f3127909504fd8f119bb43b87574a36a53c0e22450f7ff09aa
SSDEEP

384:yyhT9tuNICRb1RCjXh+IDS8a5XT1lDYOEiQlzJQnoFTfUe95nDxy:v94B5RKX48qj1l0ON4Pv8

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 48 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ronvtelne.exe

Executes dropped EXE 47 IoCs

pid	Process
1256	ronvtelne.exe
2704	ronvtelne.exe
4880	ronvtelne.exe
4740	ronvtelne.exe
4816	ronvtelne.exe
4968	ronvtelne.exe
2964	ronvtelne.exe
4160	ronvtelne.exe
1432	ronvtelne.exe
3584	ronvtelne.exe
2144	ronvtelne.exe
3872	ronvtelne.exe
2428	ronvtelne.exe
2980	ronvtelne.exe
4744	ronvtelne.exe
4184	ronvtelne.exe
792	ronvtelne.exe
1092	ronvtelne.exe
4768	ronvtelne.exe
3660	ronvtelne.exe
468	ronvtelne.exe
1760	ronvtelne.exe
3832	ronvtelne.exe
728	ronvtelne.exe
3220	ronvtelne.exe
1100	ronvtelne.exe
752	ronvtelne.exe
4432	ronvtelne.exe
4872	ronvtelne.exe
3872	ronvtelne.exe
1848	ronvtelne.exe
3792	ronvtelne.exe
4748	ronvtelne.exe
2772	ronvtelne.exe
3984	ronvtelne.exe
2224	ronvtelne.exe
1476	ronvtelne.exe
3620	ronvtelne.exe
4504	ronvtelne.exe
4816	ronvtelne.exe
1400	ronvtelne.exe
4400	ronvtelne.exe
3500	ronvtelne.exe
3100	ronvtelne.exe
4116	ronvtelne.exe
1080	ronvtelne.exe
1704	ronvtelne.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe
File created	C:\Windows\SysWOW64\ronvtelne.exe	ronvtelne.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronvtelne.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelne.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4420	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe
4420	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe
1256	ronvtelne.exe
1256	ronvtelne.exe
2704	ronvtelne.exe
2704	ronvtelne.exe
4880	ronvtelne.exe
4880	ronvtelne.exe
4740	ronvtelne.exe
4740	ronvtelne.exe
4816	ronvtelne.exe
4816	ronvtelne.exe
4968	ronvtelne.exe
4968	ronvtelne.exe
2964	ronvtelne.exe
2964	ronvtelne.exe
4160	ronvtelne.exe
4160	ronvtelne.exe
1432	ronvtelne.exe
1432	ronvtelne.exe
3584	ronvtelne.exe
3584	ronvtelne.exe
2144	ronvtelne.exe
2144	ronvtelne.exe
3872	ronvtelne.exe
3872	ronvtelne.exe
2428	ronvtelne.exe
2428	ronvtelne.exe
2980	ronvtelne.exe
2980	ronvtelne.exe
4744	ronvtelne.exe
4744	ronvtelne.exe
4184	ronvtelne.exe
4184	ronvtelne.exe
792	ronvtelne.exe
792	ronvtelne.exe
1092	ronvtelne.exe
1092	ronvtelne.exe
4768	ronvtelne.exe
4768	ronvtelne.exe
3660	ronvtelne.exe
3660	ronvtelne.exe
468	ronvtelne.exe
468	ronvtelne.exe
1760	ronvtelne.exe
1760	ronvtelne.exe
3832	ronvtelne.exe
3832	ronvtelne.exe
728	ronvtelne.exe
728	ronvtelne.exe
3220	ronvtelne.exe
3220	ronvtelne.exe
1100	ronvtelne.exe
1100	ronvtelne.exe
752	ronvtelne.exe
752	ronvtelne.exe
4432	ronvtelne.exe
4432	ronvtelne.exe
4872	ronvtelne.exe
4872	ronvtelne.exe
3872	ronvtelne.exe
3872	ronvtelne.exe
1848	ronvtelne.exe
1848	ronvtelne.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 1256	4420	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe	87
PID 4420 wrote to memory of 1256	4420	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe	87
PID 4420 wrote to memory of 1256	4420	86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe	87
PID 1256 wrote to memory of 2704	1256	ronvtelne.exe	88
PID 1256 wrote to memory of 2704	1256	ronvtelne.exe	88
PID 1256 wrote to memory of 2704	1256	ronvtelne.exe	88
PID 2704 wrote to memory of 4880	2704	ronvtelne.exe	89
PID 2704 wrote to memory of 4880	2704	ronvtelne.exe	89
PID 2704 wrote to memory of 4880	2704	ronvtelne.exe	89
PID 4880 wrote to memory of 4740	4880	ronvtelne.exe	90
PID 4880 wrote to memory of 4740	4880	ronvtelne.exe	90
PID 4880 wrote to memory of 4740	4880	ronvtelne.exe	90
PID 4740 wrote to memory of 4816	4740	ronvtelne.exe	91
PID 4740 wrote to memory of 4816	4740	ronvtelne.exe	91
PID 4740 wrote to memory of 4816	4740	ronvtelne.exe	91
PID 4816 wrote to memory of 4968	4816	ronvtelne.exe	92
PID 4816 wrote to memory of 4968	4816	ronvtelne.exe	92
PID 4816 wrote to memory of 4968	4816	ronvtelne.exe	92
PID 4968 wrote to memory of 2964	4968	ronvtelne.exe	93
PID 4968 wrote to memory of 2964	4968	ronvtelne.exe	93
PID 4968 wrote to memory of 2964	4968	ronvtelne.exe	93
PID 2964 wrote to memory of 4160	2964	ronvtelne.exe	94
PID 2964 wrote to memory of 4160	2964	ronvtelne.exe	94
PID 2964 wrote to memory of 4160	2964	ronvtelne.exe	94
PID 4160 wrote to memory of 1432	4160	ronvtelne.exe	95
PID 4160 wrote to memory of 1432	4160	ronvtelne.exe	95
PID 4160 wrote to memory of 1432	4160	ronvtelne.exe	95
PID 1432 wrote to memory of 3584	1432	ronvtelne.exe	96
PID 1432 wrote to memory of 3584	1432	ronvtelne.exe	96
PID 1432 wrote to memory of 3584	1432	ronvtelne.exe	96
PID 3584 wrote to memory of 2144	3584	ronvtelne.exe	99
PID 3584 wrote to memory of 2144	3584	ronvtelne.exe	99
PID 3584 wrote to memory of 2144	3584	ronvtelne.exe	99
PID 2144 wrote to memory of 3872	2144	ronvtelne.exe	123
PID 2144 wrote to memory of 3872	2144	ronvtelne.exe	123
PID 2144 wrote to memory of 3872	2144	ronvtelne.exe	123
PID 3872 wrote to memory of 2428	3872	ronvtelne.exe	101
PID 3872 wrote to memory of 2428	3872	ronvtelne.exe	101
PID 3872 wrote to memory of 2428	3872	ronvtelne.exe	101
PID 2428 wrote to memory of 2980	2428	ronvtelne.exe	103
PID 2428 wrote to memory of 2980	2428	ronvtelne.exe	103
PID 2428 wrote to memory of 2980	2428	ronvtelne.exe	103
PID 2980 wrote to memory of 4744	2980	ronvtelne.exe	105
PID 2980 wrote to memory of 4744	2980	ronvtelne.exe	105
PID 2980 wrote to memory of 4744	2980	ronvtelne.exe	105
PID 4744 wrote to memory of 4184	4744	ronvtelne.exe	106
PID 4744 wrote to memory of 4184	4744	ronvtelne.exe	106
PID 4744 wrote to memory of 4184	4744	ronvtelne.exe	106
PID 4184 wrote to memory of 792	4184	ronvtelne.exe	108
PID 4184 wrote to memory of 792	4184	ronvtelne.exe	108
PID 4184 wrote to memory of 792	4184	ronvtelne.exe	108
PID 792 wrote to memory of 1092	792	ronvtelne.exe	109
PID 792 wrote to memory of 1092	792	ronvtelne.exe	109
PID 792 wrote to memory of 1092	792	ronvtelne.exe	109
PID 1092 wrote to memory of 4768	1092	ronvtelne.exe	110
PID 1092 wrote to memory of 4768	1092	ronvtelne.exe	110
PID 1092 wrote to memory of 4768	1092	ronvtelne.exe	110
PID 4768 wrote to memory of 3660	4768	ronvtelne.exe	112
PID 4768 wrote to memory of 3660	4768	ronvtelne.exe	112
PID 4768 wrote to memory of 3660	4768	ronvtelne.exe	112
PID 3660 wrote to memory of 468	3660	ronvtelne.exe	113
PID 3660 wrote to memory of 468	3660	ronvtelne.exe	113
PID 3660 wrote to memory of 468	3660	ronvtelne.exe	113
PID 468 wrote to memory of 1760	468	ronvtelne.exe	115

C:\Users\Admin\AppData\Local\Temp\86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86b33cea3b6b02ed613a1fbfd59daa1e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\ronvtelne.exe
  "C:\Windows\system32\ronvtelne.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\ronvtelne.exe
    "C:\Windows\system32\ronvtelne.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\ronvtelne.exe
      "C:\Windows\system32\ronvtelne.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3832
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3220
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4432
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4872
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3872
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        49⤵
        
        PID:724
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        50⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        51⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        52⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        53⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        54⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        55⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        56⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        57⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        58⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        59⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        60⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        61⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        62⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        63⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        64⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        65⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        66⤵
        
        PID:456
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        67⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        68⤵
        
        PID:216
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        69⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        70⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        71⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        72⤵
        
        PID:828
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        73⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        74⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        75⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        76⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        77⤵
        
        PID:736
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        78⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        79⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        80⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        81⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        82⤵
        
        PID:636
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        83⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        84⤵
        
        PID:944
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        85⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        86⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        87⤵
        
        PID:792
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        88⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        89⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        90⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        91⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        92⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        93⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        94⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        95⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        96⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        97⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        98⤵
        
        PID:392
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        99⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        100⤵
        
        PID:448
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        101⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        102⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        103⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        104⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        105⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        106⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        107⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        108⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        109⤵
        
        PID:724
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        110⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        111⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        112⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        113⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        114⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        115⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        116⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        117⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        118⤵
        
        PID:756
        
        C:\Windows\SysWOW64\ronvtelne.exe
        
        "C:\Windows\system32\ronvtelne.exe"
        119⤵
        
        PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ronvtelne.exe

Filesize
20KB

MD5
86b33cea3b6b02ed613a1fbfd59daa1e

SHA1
a07e0a22c4a53f152379d0e618621336da08b900

SHA256
6358f71afa7b2ed78b0462f39b2b152a636317953e6a3cddfcb2a9b62558e6d8

SHA512
f1896cefeaa6bf0507adc0a358a3973d13b427dafb61b2be80d81f467a05d5c6fa933fbbcadf75f3127909504fd8f119bb43b87574a36a53c0e22450f7ff09aa

Download Submit
memory/468-103-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/724-145-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/728-109-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/752-115-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/792-94-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1056-160-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1080-143-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1092-96-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1100-113-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1220-152-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1256-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1316-151-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1340-153-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1400-138-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1432-78-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1436-156-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1476-134-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1680-148-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1704-144-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1760-105-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1848-124-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2144-82-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2224-133-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2428-86-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2456-159-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2468-149-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2704-64-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2772-131-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2964-74-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2980-88-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3064-157-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3100-141-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3220-111-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3500-140-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3584-80-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3620-135-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3660-101-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3792-127-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3832-107-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3872-122-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3872-84-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3984-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3984-147-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4116-142-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4160-76-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4184-92-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4240-150-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4252-155-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4400-139-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4420-60-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4432-117-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4504-136-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4592-146-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4740-68-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4744-90-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4748-129-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4768-99-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4808-158-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4816-137-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4816-70-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4872-120-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4880-66-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4968-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5032-154-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download