pony | bc4df46b76c5f6a581ecb2374587b833b4084ef920f6f52c6dc9b3c2f2ea53b0

Analysis

max time kernel
130s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
Size

2.2MB
MD5

cc168da10daa3b404708fa53b23b8be7
SHA1

0c5cf63ad20055eb13f289a41c7e75b21049b953
SHA256

bc4df46b76c5f6a581ecb2374587b833b4084ef920f6f52c6dc9b3c2f2ea53b0
SHA512

2cc6a889827aef562b6694fd4488ea226c04227d94a85d31e6fb254f1a97ed55641f4dad951c9eb4cc80c731fd18c4b8ec2b8f5f6f5fbed938d6af72f4de3c59
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZi:0UzeyQMS4DqodCnoe+iitjWwwG

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
4552	explorer.exe
640	explorer.exe
3336	spoolsv.exe
4828	spoolsv.exe
3020	spoolsv.exe
1372	spoolsv.exe
368	spoolsv.exe
3160	spoolsv.exe
5064	spoolsv.exe
3412	spoolsv.exe
4528	spoolsv.exe
4524	spoolsv.exe
3708	spoolsv.exe
4908	spoolsv.exe
2356	spoolsv.exe
1984	spoolsv.exe
4920	spoolsv.exe
948	spoolsv.exe
4312	spoolsv.exe
3576	spoolsv.exe
976	spoolsv.exe
3552	spoolsv.exe
4336	spoolsv.exe
2040	spoolsv.exe
1472	spoolsv.exe
3556	spoolsv.exe
1088	spoolsv.exe
2532	spoolsv.exe
3900	spoolsv.exe
2884	spoolsv.exe
2724	spoolsv.exe
4064	spoolsv.exe
3224	spoolsv.exe
4748	spoolsv.exe
4836	spoolsv.exe
2804	spoolsv.exe
3912	spoolsv.exe
316	spoolsv.exe
3772	explorer.exe
1244	spoolsv.exe
2928	spoolsv.exe
2528	spoolsv.exe
1000	spoolsv.exe
2276	spoolsv.exe
3376	spoolsv.exe
4808	explorer.exe
4340	spoolsv.exe
3440	spoolsv.exe
3972	spoolsv.exe
2824	spoolsv.exe
1152	spoolsv.exe
468	spoolsv.exe
4056	spoolsv.exe
3352	spoolsv.exe
1460	spoolsv.exe
2396	spoolsv.exe
2164	explorer.exe
1040	spoolsv.exe
3512	spoolsv.exe
2772	spoolsv.exe
3364	spoolsv.exe
4596	spoolsv.exe
408	spoolsv.exe
1696	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 44 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 4232	1100	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	96
PID 4552 set thread context of 640	4552	explorer.exe	101
PID 3336 set thread context of 316	3336	spoolsv.exe	139
PID 4828 set thread context of 1244	4828	spoolsv.exe	141
PID 3020 set thread context of 2928	3020	spoolsv.exe	142
PID 1372 set thread context of 2528	1372	spoolsv.exe	143
PID 368 set thread context of 1000	368	spoolsv.exe	144
PID 3160 set thread context of 2276	3160	spoolsv.exe	145
PID 5064 set thread context of 3376	5064	spoolsv.exe	146
PID 3412 set thread context of 3440	3412	spoolsv.exe	149
PID 4528 set thread context of 3972	4528	spoolsv.exe	150
PID 4524 set thread context of 2824	4524	spoolsv.exe	151
PID 3708 set thread context of 1152	3708	spoolsv.exe	152
PID 4908 set thread context of 468	4908	spoolsv.exe	153
PID 2356 set thread context of 4056	2356	spoolsv.exe	154
PID 1984 set thread context of 1460	1984	spoolsv.exe	156
PID 4920 set thread context of 2396	4920	spoolsv.exe	157
PID 948 set thread context of 1040	948	spoolsv.exe	159
PID 4312 set thread context of 3512	4312	spoolsv.exe	160
PID 3576 set thread context of 2772	3576	spoolsv.exe	161
PID 976 set thread context of 3364	976	spoolsv.exe	162
PID 3552 set thread context of 408	3552	spoolsv.exe	165
PID 4336 set thread context of 1696	4336	spoolsv.exe	166
PID 2040 set thread context of 1648	2040	spoolsv.exe	167
PID 1472 set thread context of 1608	1472	spoolsv.exe	169
PID 3556 set thread context of 972	3556	spoolsv.exe	170
PID 1088 set thread context of 232	1088	spoolsv.exe	172
PID 2532 set thread context of 536	2532	spoolsv.exe	173
PID 3900 set thread context of 5016	3900	spoolsv.exe	174
PID 2884 set thread context of 3792	2884	spoolsv.exe	176
PID 2724 set thread context of 3084	2724	spoolsv.exe	178
PID 4064 set thread context of 4404	4064	spoolsv.exe	179
PID 3224 set thread context of 3056	3224	spoolsv.exe	180
PID 4748 set thread context of 4892	4748	spoolsv.exe	181
PID 4836 set thread context of 3716	4836	spoolsv.exe	183
PID 2804 set thread context of 1500	2804	spoolsv.exe	193
PID 3772 set thread context of 4036	3772	explorer.exe	197
PID 3912 set thread context of 4344	3912	spoolsv.exe	198
PID 4340 set thread context of 5396	4340	spoolsv.exe	205
PID 4808 set thread context of 5492	4808	explorer.exe	207
PID 3352 set thread context of 5872	3352	spoolsv.exe	218
PID 2164 set thread context of 5164	2164	explorer.exe	221
PID 4596 set thread context of 4304	4596	spoolsv.exe	224
PID 380 set thread context of 6032	380	explorer.exe	227

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4232	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
4232	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
640	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4232	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
4232	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
316	spoolsv.exe
316	spoolsv.exe
1244	spoolsv.exe
1244	spoolsv.exe
2928	spoolsv.exe
2928	spoolsv.exe
2528	spoolsv.exe
2528	spoolsv.exe
1000	spoolsv.exe
1000	spoolsv.exe
2276	spoolsv.exe
2276	spoolsv.exe
3376	spoolsv.exe
3376	spoolsv.exe
3440	spoolsv.exe
3440	spoolsv.exe
3972	spoolsv.exe
3972	spoolsv.exe
2824	spoolsv.exe
2824	spoolsv.exe
1152	spoolsv.exe
1152	spoolsv.exe
468	spoolsv.exe
468	spoolsv.exe
4056	spoolsv.exe
4056	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
2396	spoolsv.exe
2396	spoolsv.exe
1040	spoolsv.exe
1040	spoolsv.exe
3512	spoolsv.exe
3512	spoolsv.exe
2772	spoolsv.exe
2772	spoolsv.exe
3364	spoolsv.exe
3364	spoolsv.exe
408	spoolsv.exe
408	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
1648	spoolsv.exe
1648	spoolsv.exe
1608	spoolsv.exe
1608	spoolsv.exe
972	spoolsv.exe
972	spoolsv.exe
232	spoolsv.exe
232	spoolsv.exe
536	spoolsv.exe
536	spoolsv.exe
5016	spoolsv.exe
5016	spoolsv.exe
3792	spoolsv.exe
3792	spoolsv.exe
3084	spoolsv.exe
3084	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 756	1100	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	85
PID 1100 wrote to memory of 756	1100	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	85
PID 1100 wrote to memory of 4232	1100	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	96
PID 1100 wrote to memory of 4232	1100	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	96
PID 1100 wrote to memory of 4232	1100	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	96
PID 1100 wrote to memory of 4232	1100	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	96
PID 1100 wrote to memory of 4232	1100	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	96
PID 4232 wrote to memory of 4552	4232	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	97
PID 4232 wrote to memory of 4552	4232	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	97
PID 4232 wrote to memory of 4552	4232	cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe	97
PID 4552 wrote to memory of 640	4552	explorer.exe	101
PID 4552 wrote to memory of 640	4552	explorer.exe	101
PID 4552 wrote to memory of 640	4552	explorer.exe	101
PID 4552 wrote to memory of 640	4552	explorer.exe	101
PID 4552 wrote to memory of 640	4552	explorer.exe	101
PID 640 wrote to memory of 3336	640	explorer.exe	102
PID 640 wrote to memory of 3336	640	explorer.exe	102
PID 640 wrote to memory of 3336	640	explorer.exe	102
PID 640 wrote to memory of 4828	640	explorer.exe	103
PID 640 wrote to memory of 4828	640	explorer.exe	103
PID 640 wrote to memory of 4828	640	explorer.exe	103
PID 640 wrote to memory of 3020	640	explorer.exe	104
PID 640 wrote to memory of 3020	640	explorer.exe	104
PID 640 wrote to memory of 3020	640	explorer.exe	104
PID 640 wrote to memory of 1372	640	explorer.exe	105
PID 640 wrote to memory of 1372	640	explorer.exe	105
PID 640 wrote to memory of 1372	640	explorer.exe	105
PID 640 wrote to memory of 368	640	explorer.exe	106
PID 640 wrote to memory of 368	640	explorer.exe	106
PID 640 wrote to memory of 368	640	explorer.exe	106
PID 640 wrote to memory of 3160	640	explorer.exe	107
PID 640 wrote to memory of 3160	640	explorer.exe	107
PID 640 wrote to memory of 3160	640	explorer.exe	107
PID 640 wrote to memory of 5064	640	explorer.exe	108
PID 640 wrote to memory of 5064	640	explorer.exe	108
PID 640 wrote to memory of 5064	640	explorer.exe	108
PID 640 wrote to memory of 3412	640	explorer.exe	109
PID 640 wrote to memory of 3412	640	explorer.exe	109
PID 640 wrote to memory of 3412	640	explorer.exe	109
PID 640 wrote to memory of 4528	640	explorer.exe	110
PID 640 wrote to memory of 4528	640	explorer.exe	110
PID 640 wrote to memory of 4528	640	explorer.exe	110
PID 640 wrote to memory of 4524	640	explorer.exe	111
PID 640 wrote to memory of 4524	640	explorer.exe	111
PID 640 wrote to memory of 4524	640	explorer.exe	111
PID 640 wrote to memory of 3708	640	explorer.exe	112
PID 640 wrote to memory of 3708	640	explorer.exe	112
PID 640 wrote to memory of 3708	640	explorer.exe	112
PID 640 wrote to memory of 4908	640	explorer.exe	115
PID 640 wrote to memory of 4908	640	explorer.exe	115
PID 640 wrote to memory of 4908	640	explorer.exe	115
PID 640 wrote to memory of 2356	640	explorer.exe	116
PID 640 wrote to memory of 2356	640	explorer.exe	116
PID 640 wrote to memory of 2356	640	explorer.exe	116
PID 640 wrote to memory of 1984	640	explorer.exe	117
PID 640 wrote to memory of 1984	640	explorer.exe	117
PID 640 wrote to memory of 1984	640	explorer.exe	117
PID 640 wrote to memory of 4920	640	explorer.exe	118
PID 640 wrote to memory of 4920	640	explorer.exe	118
PID 640 wrote to memory of 4920	640	explorer.exe	118
PID 640 wrote to memory of 948	640	explorer.exe	119
PID 640 wrote to memory of 948	640	explorer.exe	119
PID 640 wrote to memory of 948	640	explorer.exe	119
PID 640 wrote to memory of 4312	640	explorer.exe	120

C:\Users\Admin\AppData\Local\Temp\cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:756
- C:\Users\Admin\AppData\Local\Temp\cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cc168da10daa3b404708fa53b23b8be7_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4232
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3336
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3020
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1372
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:368
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4808
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3412
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4524
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3708
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4908
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2356
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1984
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4920
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2164
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4312
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3576
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:976
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4336
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2040
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:380
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3900
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2884
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2724
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3224
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4836
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3716
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2804
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3912
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4344
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4340
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3352
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4596
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4304
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2848
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5828
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:636
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:768
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4988
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3676
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2744
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2132
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5048
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:412
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5568
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5252
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5336
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:6096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:6084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1204

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
fa5e17bdf99a5251e769c423ecf4a81a

SHA1
2fcff2770980cc1d2b51c5f8710c4a961c224b5b

SHA256
1860ffc296fa668798901f79b23d7cc7b1881eeda11c558470a8dfd5843512aa

SHA512
6aa117bc154a2d9ccb65ca191ad68cd75d2d4f39a332b04ccd164be7261d6e3b70532a8cb31d158cc2871f84f134de11440bb5379c4db0b954c112de863feb95

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
8c66ffe0fd705ceec5084d6347a9e0de

SHA1
55299aca74800a8ff224fec8581fb944bf8e2621

SHA256
835369d4907125f4085666ab77437739d32fe85812beb22e15577666efa6440e

SHA512
90316bf47d7702878d20096fb250b5b6173c1dc9e1bc62f0d407d08c4d0223e078474ec0f269ab79ce0c2d0f361177834c1350fb91204b8eb5faba9608faf961

Download Submit
memory/232-3218-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/232-3223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/316-2546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/316-2443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/368-1402-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/468-2700-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-3228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-5888-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-5060-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-902-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-2037-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/972-3126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/976-2228-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1000-2485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1040-2885-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-2464-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1100-45-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1100-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1100-36-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1100-37-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1152-2689-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1244-2455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1244-2451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1372-1321-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1472-2436-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1500-3632-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-3112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-3116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-3103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-3273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-1903-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2040-2358-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2276-2506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2356-1902-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2396-2877-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-2476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-2904-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-5932-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-2465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-1195-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3056-3427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3160-1403-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3336-1033-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3336-2442-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3364-2915-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-2634-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-2829-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3412-1575-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3440-2659-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-2305-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3556-2450-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3576-2120-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3708-1713-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3716-3597-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3716-3695-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3792-3315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3972-2669-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-4120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-83-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4232-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-5338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-2119-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4336-2357-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4344-4128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4344-4241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-3418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-1632-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4528-1631-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4552-95-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4552-100-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4716-6076-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-1119-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4828-2453-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4908-1785-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4920-1965-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4928-6441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5016-3304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5016-3488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-1479-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5132-5968-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5164-5163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5396-4535-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5492-4546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5568-6314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5568-6165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5600-5902-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5604-5913-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5744-5921-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5828-5780-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5828-5662-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5872-5137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6000-5951-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6032-5488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6060-5881-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6068-6119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download