pony | ad86afca8b6b193d6382875daa039e7a3391ec5b1c72f614879e96374d42fe5e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
Size

2.2MB
MD5

c1fb33512aa2c9738ca38b96f6aca3bd
SHA1

2e8bfdf77a55d3a076f958da3915a7dbb9b5c824
SHA256

ad86afca8b6b193d6382875daa039e7a3391ec5b1c72f614879e96374d42fe5e
SHA512

ff11a178b8ced308b3e3ee6c60f55d33b38c26c97f6e3a8d1789641e53906568512c3ff68e34639a38cdb0ff072fdb69250f11831b4309054ebb6a66d438be75
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZO:0UzeyQMS4DqodCnoe+iitjWwwK

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2036	explorer.exe
4960	explorer.exe
2084	spoolsv.exe
4152	spoolsv.exe
3568	spoolsv.exe
2228	spoolsv.exe
4588	spoolsv.exe
4468	spoolsv.exe
3676	spoolsv.exe
3912	spoolsv.exe
3968	spoolsv.exe
4492	spoolsv.exe
4104	spoolsv.exe
2936	spoolsv.exe
3228	spoolsv.exe
1020	spoolsv.exe
1476	spoolsv.exe
1088	spoolsv.exe
4160	spoolsv.exe
3688	spoolsv.exe
4644	spoolsv.exe
100	spoolsv.exe
5032	spoolsv.exe
4356	spoolsv.exe
4180	spoolsv.exe
3700	spoolsv.exe
3988	spoolsv.exe
2512	spoolsv.exe
4652	spoolsv.exe
1452	spoolsv.exe
828	spoolsv.exe
440	spoolsv.exe
2412	spoolsv.exe
1604	explorer.exe
632	spoolsv.exe
3948	spoolsv.exe
3236	spoolsv.exe
4916	spoolsv.exe
3832	spoolsv.exe
1720	spoolsv.exe
232	spoolsv.exe
4136	explorer.exe
1496	spoolsv.exe
4072	spoolsv.exe
3964	spoolsv.exe
3776	spoolsv.exe
3684	spoolsv.exe
2144	spoolsv.exe
4220	explorer.exe
4176	spoolsv.exe
5040	spoolsv.exe
3996	spoolsv.exe
4776	spoolsv.exe
3924	spoolsv.exe
2248	spoolsv.exe
1892	explorer.exe
4024	spoolsv.exe
3068	spoolsv.exe
5036	spoolsv.exe
4832	spoolsv.exe
4944	spoolsv.exe
3212	spoolsv.exe
3896	explorer.exe
5000	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 56 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 2876	4800	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	96
PID 2036 set thread context of 4960	2036	explorer.exe	101
PID 2084 set thread context of 2412	2084	spoolsv.exe	133
PID 4152 set thread context of 632	4152	spoolsv.exe	135
PID 3568 set thread context of 3948	3568	spoolsv.exe	136
PID 2228 set thread context of 3236	2228	spoolsv.exe	137
PID 4588 set thread context of 4916	4588	spoolsv.exe	138
PID 4468 set thread context of 1720	4468	spoolsv.exe	140
PID 3676 set thread context of 232	3676	spoolsv.exe	141
PID 3912 set thread context of 1496	3912	spoolsv.exe	143
PID 3968 set thread context of 4072	3968	spoolsv.exe	144
PID 4492 set thread context of 3776	4492	spoolsv.exe	146
PID 4104 set thread context of 3684	4104	spoolsv.exe	147
PID 2936 set thread context of 2144	2936	spoolsv.exe	148
PID 3228 set thread context of 4176	3228	spoolsv.exe	150
PID 1020 set thread context of 5040	1020	spoolsv.exe	151
PID 1476 set thread context of 4776	1476	spoolsv.exe	153
PID 1088 set thread context of 3924	1088	spoolsv.exe	154
PID 4160 set thread context of 2248	4160	spoolsv.exe	155
PID 3688 set thread context of 3068	3688	spoolsv.exe	158
PID 4644 set thread context of 5036	4644	spoolsv.exe	159
PID 100 set thread context of 4832	100	spoolsv.exe	161
PID 5032 set thread context of 4944	5032	spoolsv.exe	162
PID 4356 set thread context of 3212	4356	spoolsv.exe	163
PID 4180 set thread context of 5000	4180	spoolsv.exe	165
PID 3700 set thread context of 2016	3700	spoolsv.exe	166
PID 3988 set thread context of 3056	3988	spoolsv.exe	167
PID 2512 set thread context of 528	2512	spoolsv.exe	169
PID 4652 set thread context of 4744	4652	spoolsv.exe	170
PID 1452 set thread context of 4500	1452	spoolsv.exe	171
PID 828 set thread context of 4372	828	spoolsv.exe	173
PID 440 set thread context of 228	440	spoolsv.exe	183
PID 1604 set thread context of 1932	1604	explorer.exe	185
PID 3832 set thread context of 776	3832	spoolsv.exe	188
PID 4136 set thread context of 2432	4136	explorer.exe	192
PID 3964 set thread context of 5056	3964	spoolsv.exe	194
PID 4220 set thread context of 5284	4220	explorer.exe	198
PID 3996 set thread context of 5352	3996	spoolsv.exe	199
PID 1892 set thread context of 5972	1892	explorer.exe	207
PID 4024 set thread context of 6084	4024	spoolsv.exe	212
PID 3896 set thread context of 5296	3896	explorer.exe	214
PID 556 set thread context of 5288	556	spoolsv.exe	215
PID 2164 set thread context of 2208	2164	spoolsv.exe	216
PID 4224 set thread context of 4264	4224	explorer.exe	217
PID 2000 set thread context of 5556	2000	spoolsv.exe	218
PID 4004 set thread context of 5612	4004	spoolsv.exe	219
PID 5104 set thread context of 5696	5104	spoolsv.exe	220
PID 1392 set thread context of 5800	1392	spoolsv.exe	221
PID 4716 set thread context of 5868	4716	spoolsv.exe	222
PID 3740 set thread context of 4912	3740	spoolsv.exe	224
PID 2204 set thread context of 2472	2204	explorer.exe	225
PID 876 set thread context of 548	876	spoolsv.exe	226
PID 2920 set thread context of 4032	2920	spoolsv.exe	228
PID 2200 set thread context of 5700	2200	spoolsv.exe	229
PID 3992 set thread context of 2184	3992	explorer.exe	230
PID 1404 set thread context of 5744	1404	spoolsv.exe	233

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
2876	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4960	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2876	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
2876	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
2412	spoolsv.exe
2412	spoolsv.exe
632	spoolsv.exe
632	spoolsv.exe
3948	spoolsv.exe
3948	spoolsv.exe
3236	spoolsv.exe
3236	spoolsv.exe
4916	spoolsv.exe
4916	spoolsv.exe
1720	spoolsv.exe
1720	spoolsv.exe
232	spoolsv.exe
232	spoolsv.exe
1496	spoolsv.exe
1496	spoolsv.exe
4072	spoolsv.exe
4072	spoolsv.exe
3776	spoolsv.exe
3776	spoolsv.exe
3684	spoolsv.exe
3684	spoolsv.exe
2144	spoolsv.exe
2144	spoolsv.exe
4176	spoolsv.exe
4176	spoolsv.exe
5040	spoolsv.exe
5040	spoolsv.exe
4776	spoolsv.exe
4776	spoolsv.exe
3924	spoolsv.exe
3924	spoolsv.exe
2248	spoolsv.exe
2248	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
5036	spoolsv.exe
5036	spoolsv.exe
4832	spoolsv.exe
4832	spoolsv.exe
4944	spoolsv.exe
4944	spoolsv.exe
3212	spoolsv.exe
3212	spoolsv.exe
5000	spoolsv.exe
5000	spoolsv.exe
2016	spoolsv.exe
2016	spoolsv.exe
3056	spoolsv.exe
3056	spoolsv.exe
528	spoolsv.exe
528	spoolsv.exe
4744	spoolsv.exe
4744	spoolsv.exe
4500	spoolsv.exe
4500	spoolsv.exe
4372	spoolsv.exe
4372	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1876	4800	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1876	4800	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	84
PID 4800 wrote to memory of 2876	4800	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	96
PID 4800 wrote to memory of 2876	4800	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	96
PID 4800 wrote to memory of 2876	4800	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	96
PID 4800 wrote to memory of 2876	4800	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	96
PID 4800 wrote to memory of 2876	4800	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	96
PID 2876 wrote to memory of 2036	2876	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	97
PID 2876 wrote to memory of 2036	2876	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	97
PID 2876 wrote to memory of 2036	2876	c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe	97
PID 2036 wrote to memory of 4960	2036	explorer.exe	101
PID 2036 wrote to memory of 4960	2036	explorer.exe	101
PID 2036 wrote to memory of 4960	2036	explorer.exe	101
PID 2036 wrote to memory of 4960	2036	explorer.exe	101
PID 2036 wrote to memory of 4960	2036	explorer.exe	101
PID 4960 wrote to memory of 2084	4960	explorer.exe	102
PID 4960 wrote to memory of 2084	4960	explorer.exe	102
PID 4960 wrote to memory of 2084	4960	explorer.exe	102
PID 4960 wrote to memory of 4152	4960	explorer.exe	103
PID 4960 wrote to memory of 4152	4960	explorer.exe	103
PID 4960 wrote to memory of 4152	4960	explorer.exe	103
PID 4960 wrote to memory of 3568	4960	explorer.exe	104
PID 4960 wrote to memory of 3568	4960	explorer.exe	104
PID 4960 wrote to memory of 3568	4960	explorer.exe	104
PID 4960 wrote to memory of 2228	4960	explorer.exe	105
PID 4960 wrote to memory of 2228	4960	explorer.exe	105
PID 4960 wrote to memory of 2228	4960	explorer.exe	105
PID 4960 wrote to memory of 4588	4960	explorer.exe	106
PID 4960 wrote to memory of 4588	4960	explorer.exe	106
PID 4960 wrote to memory of 4588	4960	explorer.exe	106
PID 4960 wrote to memory of 4468	4960	explorer.exe	107
PID 4960 wrote to memory of 4468	4960	explorer.exe	107
PID 4960 wrote to memory of 4468	4960	explorer.exe	107
PID 4960 wrote to memory of 3676	4960	explorer.exe	108
PID 4960 wrote to memory of 3676	4960	explorer.exe	108
PID 4960 wrote to memory of 3676	4960	explorer.exe	108
PID 4960 wrote to memory of 3912	4960	explorer.exe	109
PID 4960 wrote to memory of 3912	4960	explorer.exe	109
PID 4960 wrote to memory of 3912	4960	explorer.exe	109
PID 4960 wrote to memory of 3968	4960	explorer.exe	110
PID 4960 wrote to memory of 3968	4960	explorer.exe	110
PID 4960 wrote to memory of 3968	4960	explorer.exe	110
PID 4960 wrote to memory of 4492	4960	explorer.exe	111
PID 4960 wrote to memory of 4492	4960	explorer.exe	111
PID 4960 wrote to memory of 4492	4960	explorer.exe	111
PID 4960 wrote to memory of 4104	4960	explorer.exe	112
PID 4960 wrote to memory of 4104	4960	explorer.exe	112
PID 4960 wrote to memory of 4104	4960	explorer.exe	112
PID 4960 wrote to memory of 2936	4960	explorer.exe	113
PID 4960 wrote to memory of 2936	4960	explorer.exe	113
PID 4960 wrote to memory of 2936	4960	explorer.exe	113
PID 4960 wrote to memory of 3228	4960	explorer.exe	114
PID 4960 wrote to memory of 3228	4960	explorer.exe	114
PID 4960 wrote to memory of 3228	4960	explorer.exe	114
PID 4960 wrote to memory of 1020	4960	explorer.exe	116
PID 4960 wrote to memory of 1020	4960	explorer.exe	116
PID 4960 wrote to memory of 1020	4960	explorer.exe	116
PID 4960 wrote to memory of 1476	4960	explorer.exe	117
PID 4960 wrote to memory of 1476	4960	explorer.exe	117
PID 4960 wrote to memory of 1476	4960	explorer.exe	117
PID 4960 wrote to memory of 1088	4960	explorer.exe	118
PID 4960 wrote to memory of 1088	4960	explorer.exe	118
PID 4960 wrote to memory of 1088	4960	explorer.exe	118
PID 4960 wrote to memory of 4160	4960	explorer.exe	119

C:\Users\Admin\AppData\Local\Temp\c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c1fb33512aa2c9738ca38b96f6aca3bd_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2876
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3568
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4588
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4468
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3676
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:232
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3912
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4492
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4104
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2936
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1020
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1476
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1892
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3688
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4644
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:100
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4356
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3212
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3896
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4180
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3700
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3988
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2512
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4652
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1452
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4372
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4224
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2204
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3832
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:776
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3992
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3964
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5352
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4024
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6084
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2164
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2000
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5104
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1392
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4716
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2920
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2200
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1404
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:6072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
1b886a1daf4882bb95cd8ebff2a437a5

SHA1
153001f7f293f8621c8c35a5cc38df89f6d92786

SHA256
dec2ae9aa1ed4d6c36d5b15459f1a7ddb15bbfc5b6ddccb7cfc179ff2f15ba99

SHA512
4f7d3329236b4eb3220458e57b562acc7b98584d87b0f1f30359c309c7ac13dbd99fb114c298737ac52ee542bd1898ed07cd9aed20409f310562e430d5ddad11

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
553968841356f296b97d54f7e6fe3395

SHA1
e5a302fc637709efad10221e81e1cfcd1012fbab

SHA256
d099630eb59f5e57138b588475561e0715b26241addd9021b422fb738149d370

SHA512
ee4357f988827ce39c91128e7310b6aa53ada04143631da978197e7ae818ba2b62b112804052511e2976af3e8b4ee7ae65a4a914503fd9f8b17eb908972e6e20

Download Submit
memory/100-1991-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/228-3619-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/232-2355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/232-2175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/528-2880-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/528-2885-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-5156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-4980-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/632-1996-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/632-2001-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/632-1998-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/776-3791-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1020-1665-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1088-1840-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1476-1813-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1496-2184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-2126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1932-3487-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2016-2785-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-83-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2036-88-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2084-1988-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2084-752-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2144-2522-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-2376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-5024-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-4768-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2228-1077-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2228-2023-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2248-2534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-2749-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-1987-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-2156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-3842-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-4919-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-1532-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3056-2812-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-2649-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-2934-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-2767-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3228-1664-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3236-2022-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-2026-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-2012-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3568-1011-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3676-1185-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3684-2301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-2297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-1919-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3912-1266-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3924-2481-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-2014-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-2010-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3968-1327-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4104-1471-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4152-1999-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4152-935-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4160-1907-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4176-2385-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-4790-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-2020-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4372-3017-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-3130-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-1124-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4492-1399-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4500-2900-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-1078-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4644-1981-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4744-2891-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-2468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4800-33-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4800-27-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4800-0-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4800-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4832-2671-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-2675-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4916-2036-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-3833-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-680-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-2008-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5036-2662-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-2396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-4046-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-3919-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5284-4155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5288-4753-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5296-4756-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5352-4255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5556-4786-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5612-4797-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5700-4997-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5744-5234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5868-4825-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5868-4821-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5972-4471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6084-4956-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6084-4732-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download