pony | 15d1de0cae0502b7fce67d76bd2b2749babba45998398da2e49a9b499f800ea9

Analysis

max time kernel
144s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
Size

2.2MB
MD5

bf02c7ea20bb6396cd3e5d7bb7776dd0
SHA1

2a8abaef3fcdc9ed37e4a50113406aa76c18a7c7
SHA256

15d1de0cae0502b7fce67d76bd2b2749babba45998398da2e49a9b499f800ea9
SHA512

5ce37d241a6c9db4d8365ba8316eb1e888633b43cb40e758f7d710061e60ed436446df1c671130f165c47cebcffe1027cb619ec2a4fcd35b92928bfda65c1367
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZp:0UzeyQMS4DqodCnoe+iitjWwwF

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
5112	explorer.exe
392	explorer.exe
3080	spoolsv.exe
1352	spoolsv.exe
1648	spoolsv.exe
2800	spoolsv.exe
4368	spoolsv.exe
2832	spoolsv.exe
3724	spoolsv.exe
4016	spoolsv.exe
3368	spoolsv.exe
2184	spoolsv.exe
4604	spoolsv.exe
1556	spoolsv.exe
3652	spoolsv.exe
4492	spoolsv.exe
4144	spoolsv.exe
2696	spoolsv.exe
1524	spoolsv.exe
4320	spoolsv.exe
2996	spoolsv.exe
3592	spoolsv.exe
3532	spoolsv.exe
3008	spoolsv.exe
4908	spoolsv.exe
4940	spoolsv.exe
4876	spoolsv.exe
3812	spoolsv.exe
4972	spoolsv.exe
4916	spoolsv.exe
540	spoolsv.exe
748	spoolsv.exe
1480	spoolsv.exe
1652	explorer.exe
1464	spoolsv.exe
3476	spoolsv.exe
4884	spoolsv.exe
3484	spoolsv.exe
2296	spoolsv.exe
1464	spoolsv.exe
2248	spoolsv.exe
1144	explorer.exe
4924	spoolsv.exe
4792	spoolsv.exe
3136	spoolsv.exe
1520	spoolsv.exe
3584	explorer.exe
620	spoolsv.exe
3264	spoolsv.exe
3004	spoolsv.exe
1592	spoolsv.exe
3508	spoolsv.exe
456	spoolsv.exe
2748	spoolsv.exe
1580	explorer.exe
2932	spoolsv.exe
740	spoolsv.exe
4156	spoolsv.exe
1848	spoolsv.exe
2092	spoolsv.exe
1668	explorer.exe
3432	spoolsv.exe
4052	spoolsv.exe
2528	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 54 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 2072	2832	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	99
PID 5112 set thread context of 392	5112	explorer.exe	106
PID 3080 set thread context of 1480	3080	spoolsv.exe	138
PID 1352 set thread context of 1464	1352	spoolsv.exe	140
PID 1648 set thread context of 3476	1648	spoolsv.exe	141
PID 2800 set thread context of 4884	2800	spoolsv.exe	142
PID 4368 set thread context of 3484	4368	spoolsv.exe	143
PID 2832 set thread context of 2296	2832	spoolsv.exe	144
PID 3724 set thread context of 2248	3724	spoolsv.exe	146
PID 4016 set thread context of 4924	4016	spoolsv.exe	148
PID 3368 set thread context of 3136	3368	spoolsv.exe	150
PID 2184 set thread context of 1520	2184	spoolsv.exe	151
PID 4604 set thread context of 620	4604	spoolsv.exe	153
PID 1556 set thread context of 3264	1556	spoolsv.exe	154
PID 3652 set thread context of 1592	3652	spoolsv.exe	157
PID 4492 set thread context of 3508	4492	spoolsv.exe	158
PID 4144 set thread context of 456	4144	spoolsv.exe	159
PID 2696 set thread context of 2748	2696	spoolsv.exe	160
PID 1524 set thread context of 2932	1524	spoolsv.exe	162
PID 4320 set thread context of 740	4320	spoolsv.exe	163
PID 2996 set thread context of 1848	2996	spoolsv.exe	165
PID 3592 set thread context of 2092	3592	spoolsv.exe	166
PID 3532 set thread context of 3432	3532	spoolsv.exe	168
PID 3008 set thread context of 4052	3008	spoolsv.exe	169
PID 4908 set thread context of 4304	4908	spoolsv.exe	171
PID 4940 set thread context of 620	4940	spoolsv.exe	172
PID 4876 set thread context of 4776	4876	spoolsv.exe	174
PID 3812 set thread context of 4580	3812	spoolsv.exe	176
PID 4972 set thread context of 1508	4972	spoolsv.exe	177
PID 4916 set thread context of 4532	4916	spoolsv.exe	178
PID 540 set thread context of 3624	540	spoolsv.exe	181
PID 1652 set thread context of 3852	1652	explorer.exe	192
PID 748 set thread context of 3028	748	spoolsv.exe	193
PID 1464 set thread context of 428	1464	spoolsv.exe	199
PID 1144 set thread context of 3124	1144	explorer.exe	201
PID 4792 set thread context of 1528	4792	spoolsv.exe	207
PID 3584 set thread context of 5904	3584	explorer.exe	211
PID 3004 set thread context of 1348	3004	spoolsv.exe	213
PID 1580 set thread context of 5188	1580	explorer.exe	215
PID 4156 set thread context of 640	4156	spoolsv.exe	218
PID 1668 set thread context of 2040	1668	explorer.exe	220
PID 2528 set thread context of 5152	2528	spoolsv.exe	222
PID 552 set thread context of 5972	552	explorer.exe	226
PID 5044 set thread context of 5548	5044	spoolsv.exe	227
PID 4496 set thread context of 5680	4496	explorer.exe	229
PID 2412 set thread context of 6044	2412	spoolsv.exe	230
PID 1312 set thread context of 5752	1312	spoolsv.exe	231
PID 1988 set thread context of 5840	1988	spoolsv.exe	232
PID 1700 set thread context of 5912	1700	spoolsv.exe	233
PID 1692 set thread context of 1732	1692	spoolsv.exe	234
PID 1420 set thread context of 4896	1420	spoolsv.exe	236
PID 3560 set thread context of 5240	3560	spoolsv.exe	237
PID 4568 set thread context of 5252	4568	explorer.exe	238
PID 3984 set thread context of 3324	3984	spoolsv.exe	239

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
2072	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
392	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2072	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
2072	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
392	explorer.exe
1480	spoolsv.exe
1480	spoolsv.exe
1464	spoolsv.exe
1464	spoolsv.exe
3476	spoolsv.exe
3476	spoolsv.exe
4884	spoolsv.exe
4884	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
2296	spoolsv.exe
2296	spoolsv.exe
2248	spoolsv.exe
2248	spoolsv.exe
4924	spoolsv.exe
4924	spoolsv.exe
3136	spoolsv.exe
3136	spoolsv.exe
1520	spoolsv.exe
1520	spoolsv.exe
620	spoolsv.exe
620	spoolsv.exe
3264	spoolsv.exe
3264	spoolsv.exe
1592	spoolsv.exe
1592	spoolsv.exe
3508	spoolsv.exe
3508	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe
2748	spoolsv.exe
2748	spoolsv.exe
2932	spoolsv.exe
2932	spoolsv.exe
740	spoolsv.exe
740	spoolsv.exe
1848	spoolsv.exe
1848	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
3432	spoolsv.exe
3432	spoolsv.exe
4052	spoolsv.exe
4052	spoolsv.exe
4304	spoolsv.exe
4304	spoolsv.exe
620	spoolsv.exe
620	spoolsv.exe
4776	spoolsv.exe
4776	spoolsv.exe
4580	spoolsv.exe
4580	spoolsv.exe
1508	spoolsv.exe
1508	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
3624	spoolsv.exe
3624	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 4560	2832	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	85
PID 2832 wrote to memory of 4560	2832	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	85
PID 2832 wrote to memory of 2072	2832	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	99
PID 2832 wrote to memory of 2072	2832	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	99
PID 2832 wrote to memory of 2072	2832	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	99
PID 2832 wrote to memory of 2072	2832	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	99
PID 2832 wrote to memory of 2072	2832	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	99
PID 2072 wrote to memory of 5112	2072	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	100
PID 2072 wrote to memory of 5112	2072	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	100
PID 2072 wrote to memory of 5112	2072	bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe	100
PID 5112 wrote to memory of 392	5112	explorer.exe	106
PID 5112 wrote to memory of 392	5112	explorer.exe	106
PID 5112 wrote to memory of 392	5112	explorer.exe	106
PID 5112 wrote to memory of 392	5112	explorer.exe	106
PID 5112 wrote to memory of 392	5112	explorer.exe	106
PID 392 wrote to memory of 3080	392	explorer.exe	107
PID 392 wrote to memory of 3080	392	explorer.exe	107
PID 392 wrote to memory of 3080	392	explorer.exe	107
PID 392 wrote to memory of 1352	392	explorer.exe	108
PID 392 wrote to memory of 1352	392	explorer.exe	108
PID 392 wrote to memory of 1352	392	explorer.exe	108
PID 392 wrote to memory of 1648	392	explorer.exe	109
PID 392 wrote to memory of 1648	392	explorer.exe	109
PID 392 wrote to memory of 1648	392	explorer.exe	109
PID 392 wrote to memory of 2800	392	explorer.exe	110
PID 392 wrote to memory of 2800	392	explorer.exe	110
PID 392 wrote to memory of 2800	392	explorer.exe	110
PID 392 wrote to memory of 4368	392	explorer.exe	111
PID 392 wrote to memory of 4368	392	explorer.exe	111
PID 392 wrote to memory of 4368	392	explorer.exe	111
PID 392 wrote to memory of 2832	392	explorer.exe	112
PID 392 wrote to memory of 2832	392	explorer.exe	112
PID 392 wrote to memory of 2832	392	explorer.exe	112
PID 392 wrote to memory of 3724	392	explorer.exe	114
PID 392 wrote to memory of 3724	392	explorer.exe	114
PID 392 wrote to memory of 3724	392	explorer.exe	114
PID 392 wrote to memory of 4016	392	explorer.exe	115
PID 392 wrote to memory of 4016	392	explorer.exe	115
PID 392 wrote to memory of 4016	392	explorer.exe	115
PID 392 wrote to memory of 3368	392	explorer.exe	116
PID 392 wrote to memory of 3368	392	explorer.exe	116
PID 392 wrote to memory of 3368	392	explorer.exe	116
PID 392 wrote to memory of 2184	392	explorer.exe	117
PID 392 wrote to memory of 2184	392	explorer.exe	117
PID 392 wrote to memory of 2184	392	explorer.exe	117
PID 392 wrote to memory of 4604	392	explorer.exe	118
PID 392 wrote to memory of 4604	392	explorer.exe	118
PID 392 wrote to memory of 4604	392	explorer.exe	118
PID 392 wrote to memory of 1556	392	explorer.exe	119
PID 392 wrote to memory of 1556	392	explorer.exe	119
PID 392 wrote to memory of 1556	392	explorer.exe	119
PID 392 wrote to memory of 3652	392	explorer.exe	120
PID 392 wrote to memory of 3652	392	explorer.exe	120
PID 392 wrote to memory of 3652	392	explorer.exe	120
PID 392 wrote to memory of 4492	392	explorer.exe	121
PID 392 wrote to memory of 4492	392	explorer.exe	121
PID 392 wrote to memory of 4492	392	explorer.exe	121
PID 392 wrote to memory of 4144	392	explorer.exe	122
PID 392 wrote to memory of 4144	392	explorer.exe	122
PID 392 wrote to memory of 4144	392	explorer.exe	122
PID 392 wrote to memory of 2696	392	explorer.exe	123
PID 392 wrote to memory of 2696	392	explorer.exe	123
PID 392 wrote to memory of 2696	392	explorer.exe	123
PID 392 wrote to memory of 1524	392	explorer.exe	124

C:\Users\Admin\AppData\Local\Temp\bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4560
- C:\Users\Admin\AppData\Local\Temp\bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bf02c7ea20bb6396cd3e5d7bb7776dd0_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2072
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3080
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1352
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1648
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2800
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4368
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2832
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3724
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3368
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2184
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4604
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3652
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4492
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1524
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4320
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3592
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3008
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4908
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4940
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:552
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3812
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4916
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4532
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4496
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4568
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1464
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4792
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4156
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:640
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5044
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2412
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1312
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1988
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1700
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1692
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1420
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3560
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3984
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4208
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5772
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1596
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2844
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4764
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
ec6bf450a3f2ef140a9339ef469710d9

SHA1
c355e2d69b00ad1a925a63c86c82656e4a01f6e6

SHA256
dce7e93ccd3dc10d6003d163acb3b7c8f97b7eadfea06e4d482b2f29f7e07b74

SHA512
73109a8c2ee53c67254f6859cdf52cad4965c2c6020972b77601a8d9ff4095f29fc93d13eac473e9a3498b74abc4bfa59eb47b2784e33a45e1dd41969955add5

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
d8e85cf06d39ad4f9ce910b2791aeb08

SHA1
cedb74173386c39243645f2ca20f67eb1ff7b499

SHA256
8d1891eab00b3f91f8ba10764527ac5d858141849cfd3ccee3bcf2e71d67b79c

SHA512
2b44feb1a8e0e06f626bf9bc4aaa096f3b3f21badc5f0e62055647201f98bb44e3ea36a6e4b3d1164e2099cba8b8aff1a78617b99c17a20f00a6974e8c7d8901

Download Submit
memory/392-634-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/392-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/428-3761-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/456-2417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/620-2285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/620-2973-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/620-2821-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/620-2288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-4603-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-4473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/740-2480-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-5151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-4300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-773-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1352-1908-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1464-1910-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-1907-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-1898-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-2024-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1508-2918-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1520-2277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1520-2443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1524-1736-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1528-4207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-4059-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1556-1494-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1592-2384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-1922-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1648-927-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1848-2564-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-2567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-4546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-2636-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-1351-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2248-2082-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-2244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2296-1949-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-1676-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2748-2460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2748-2609-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-928-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2800-1928-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2832-48-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2832-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2832-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2832-1080-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2832-42-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2932-2469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-1880-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3008-1919-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3080-1899-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3080-711-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3124-3773-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3136-2174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3264-2296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3264-2301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-4982-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3368-1268-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3432-2647-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-1920-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-1916-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3484-1942-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-1900-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3592-1897-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3624-3096-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3652-1546-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3724-1146-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3852-3556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-1197-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4052-2668-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4144-1675-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4320-1804-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4368-1024-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4492-1608-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4532-3149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4604-1432-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4776-2833-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4884-1930-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-4951-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-2091-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-2093-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-99-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5112-105-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5152-4630-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5152-4723-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5188-4311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5252-4972-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5548-4818-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5548-5035-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5680-4840-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5772-5054-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5792-5065-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5832-5073-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5840-4859-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5904-4238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5912-4867-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5972-4809-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6044-4832-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download