pony | 72c41c2859fb687a75a8ce7daab3b14f9e6f104bf02c3d06bfc5291779b72ce4

Analysis

max time kernel
147s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
Size

2.2MB
MD5

cc34d4795411fc659d496b96e1f6e80f
SHA1

a5da4f21941401e5384d30b476cdd82e0649fc73
SHA256

72c41c2859fb687a75a8ce7daab3b14f9e6f104bf02c3d06bfc5291779b72ce4
SHA512

2bd14cbb89facd6b1587ef917a77775aa747e82e5b0be3a753eb0ff7b72664135f3942d0e65fb30765219643d711369025a9be7390dd1ef0522f753cdc0e64c8
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ7:0UzeyQMS4DqodCnoe+iitjWwwH

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1292	explorer.exe
2608	explorer.exe
3592	spoolsv.exe
4656	spoolsv.exe
3668	spoolsv.exe
2312	spoolsv.exe
3928	spoolsv.exe
3896	spoolsv.exe
3344	spoolsv.exe
2436	spoolsv.exe
540	spoolsv.exe
536	spoolsv.exe
4976	spoolsv.exe
1084	spoolsv.exe
3100	spoolsv.exe
3676	spoolsv.exe
3868	spoolsv.exe
4648	spoolsv.exe
1216	spoolsv.exe
3740	spoolsv.exe
2768	spoolsv.exe
4228	spoolsv.exe
4892	spoolsv.exe
716	spoolsv.exe
2356	spoolsv.exe
2628	spoolsv.exe
3628	spoolsv.exe
2412	spoolsv.exe
912	spoolsv.exe
5012	spoolsv.exe
4288	spoolsv.exe
1564	spoolsv.exe
1292	spoolsv.exe
4908	spoolsv.exe
5228	spoolsv.exe
5512	spoolsv.exe
5892	spoolsv.exe
3140	spoolsv.exe
5180	spoolsv.exe
5224	explorer.exe
5296	spoolsv.exe
5388	spoolsv.exe
5448	spoolsv.exe
5508	spoolsv.exe
5608	spoolsv.exe
5672	spoolsv.exe
5736	spoolsv.exe
6064	spoolsv.exe
6048	spoolsv.exe
5428	spoolsv.exe
3468	explorer.exe
5540	spoolsv.exe
5584	spoolsv.exe
2084	spoolsv.exe
5664	spoolsv.exe
5712	spoolsv.exe
5756	spoolsv.exe
3256	spoolsv.exe
5908	spoolsv.exe
5960	spoolsv.exe
6052	spoolsv.exe
6116	spoolsv.exe
5336	spoolsv.exe
5580	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 60 IoCs

description	pid	Process	procid_target
PID 3112 set thread context of 2916	3112	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	98
PID 1292 set thread context of 2608	1292	explorer.exe	103
PID 3592 set thread context of 5180	3592	spoolsv.exe	141
PID 4656 set thread context of 5296	4656	spoolsv.exe	143
PID 3668 set thread context of 5388	3668	spoolsv.exe	144
PID 2312 set thread context of 5448	2312	spoolsv.exe	145
PID 3928 set thread context of 5508	3928	spoolsv.exe	146
PID 3896 set thread context of 5608	3896	spoolsv.exe	147
PID 3344 set thread context of 5672	3344	spoolsv.exe	148
PID 2436 set thread context of 5736	2436	spoolsv.exe	149
PID 540 set thread context of 6064	540	spoolsv.exe	151
PID 536 set thread context of 5428	536	spoolsv.exe	152
PID 4976 set thread context of 5540	4976	spoolsv.exe	154
PID 1084 set thread context of 5584	1084	spoolsv.exe	155
PID 3100 set thread context of 2084	3100	spoolsv.exe	156
PID 3676 set thread context of 5664	3676	spoolsv.exe	157
PID 3868 set thread context of 5712	3868	spoolsv.exe	158
PID 4648 set thread context of 5756	4648	spoolsv.exe	159
PID 1216 set thread context of 3256	1216	spoolsv.exe	160
PID 3740 set thread context of 5908	3740	spoolsv.exe	161
PID 2768 set thread context of 5960	2768	spoolsv.exe	162
PID 4228 set thread context of 6052	4228	spoolsv.exe	163
PID 4892 set thread context of 6116	4892	spoolsv.exe	165
PID 716 set thread context of 5580	716	spoolsv.exe	167
PID 2356 set thread context of 5652	2356	spoolsv.exe	169
PID 2628 set thread context of 5720	2628	spoolsv.exe	170
PID 3628 set thread context of 5776	3628	spoolsv.exe	171
PID 2412 set thread context of 5008	2412	spoolsv.exe	172
PID 912 set thread context of 5808	912	spoolsv.exe	173
PID 5012 set thread context of 5852	5012	spoolsv.exe	174
PID 4288 set thread context of 2308	4288	spoolsv.exe	175
PID 1564 set thread context of 4900	1564	spoolsv.exe	177
PID 1292 set thread context of 4032	1292	spoolsv.exe	179
PID 4908 set thread context of 4220	4908	spoolsv.exe	180
PID 5228 set thread context of 5504	5228	spoolsv.exe	181
PID 5512 set thread context of 5612	5512	spoolsv.exe	182
PID 5892 set thread context of 5988	5892	spoolsv.exe	185
PID 3140 set thread context of 4312	3140	spoolsv.exe	198
PID 5224 set thread context of 468	5224	explorer.exe	201
PID 6048 set thread context of 2468	6048	spoolsv.exe	213
PID 3468 set thread context of 2204	3468	explorer.exe	215
PID 1756 set thread context of 5760	1756	explorer.exe	221
PID 5336 set thread context of 5436	5336	spoolsv.exe	223
PID 2848 set thread context of 4832	2848	explorer.exe	228
PID 5456 set thread context of 2340	5456	spoolsv.exe	229
PID 3032 set thread context of 5440	3032	explorer.exe	231
PID 5812 set thread context of 5504	5812	spoolsv.exe	232
PID 5140 set thread context of 1888	5140	spoolsv.exe	233
PID 2896 set thread context of 1152	2896	spoolsv.exe	234
PID 5660 set thread context of 2580	5660	spoolsv.exe	235
PID 5932 set thread context of 2828	5932	spoolsv.exe	237
PID 1008 set thread context of 464	1008	spoolsv.exe	238
PID 5252 set thread context of 5844	5252	spoolsv.exe	239
PID 3004 set thread context of 4008	3004	spoolsv.exe	240
PID 6084 set thread context of 5656	6084	spoolsv.exe	241
PID 1356 set thread context of 5212	1356	explorer.exe	243
PID 5556 set thread context of 5232	5556	spoolsv.exe	245
PID 2036 set thread context of 3964	2036	spoolsv.exe	246
PID 1200 set thread context of 3900	1200	spoolsv.exe	247
PID 5108 set thread context of 5848	5108	spoolsv.exe	248

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
2916	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2608	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2916	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
2916	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
5180	spoolsv.exe
5180	spoolsv.exe
5296	spoolsv.exe
5296	spoolsv.exe
5388	spoolsv.exe
5388	spoolsv.exe
5448	spoolsv.exe
5448	spoolsv.exe
5508	spoolsv.exe
5508	spoolsv.exe
5608	spoolsv.exe
5608	spoolsv.exe
5672	spoolsv.exe
5672	spoolsv.exe
5736	spoolsv.exe
5736	spoolsv.exe
6064	spoolsv.exe
6064	spoolsv.exe
5428	spoolsv.exe
5428	spoolsv.exe
5540	spoolsv.exe
5540	spoolsv.exe
5584	spoolsv.exe
5584	spoolsv.exe
2084	spoolsv.exe
2084	spoolsv.exe
5664	spoolsv.exe
5664	spoolsv.exe
5712	spoolsv.exe
5712	spoolsv.exe
5756	spoolsv.exe
5756	spoolsv.exe
3256	spoolsv.exe
3256	spoolsv.exe
5908	spoolsv.exe
5908	spoolsv.exe
5960	spoolsv.exe
5960	spoolsv.exe
6052	spoolsv.exe
6052	spoolsv.exe
6116	spoolsv.exe
6116	spoolsv.exe
5580	spoolsv.exe
5580	spoolsv.exe
5652	spoolsv.exe
5652	spoolsv.exe
5720	spoolsv.exe
5720	spoolsv.exe
5776	spoolsv.exe
5776	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5808	spoolsv.exe
5808	spoolsv.exe
5852	spoolsv.exe
5852	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 3388	3112	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	87
PID 3112 wrote to memory of 3388	3112	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	87
PID 3112 wrote to memory of 2916	3112	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	98
PID 3112 wrote to memory of 2916	3112	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	98
PID 3112 wrote to memory of 2916	3112	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	98
PID 3112 wrote to memory of 2916	3112	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	98
PID 3112 wrote to memory of 2916	3112	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	98
PID 2916 wrote to memory of 1292	2916	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	99
PID 2916 wrote to memory of 1292	2916	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	99
PID 2916 wrote to memory of 1292	2916	cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe	99
PID 1292 wrote to memory of 2608	1292	explorer.exe	103
PID 1292 wrote to memory of 2608	1292	explorer.exe	103
PID 1292 wrote to memory of 2608	1292	explorer.exe	103
PID 1292 wrote to memory of 2608	1292	explorer.exe	103
PID 1292 wrote to memory of 2608	1292	explorer.exe	103
PID 2608 wrote to memory of 3592	2608	explorer.exe	104
PID 2608 wrote to memory of 3592	2608	explorer.exe	104
PID 2608 wrote to memory of 3592	2608	explorer.exe	104
PID 2608 wrote to memory of 4656	2608	explorer.exe	105
PID 2608 wrote to memory of 4656	2608	explorer.exe	105
PID 2608 wrote to memory of 4656	2608	explorer.exe	105
PID 2608 wrote to memory of 3668	2608	explorer.exe	106
PID 2608 wrote to memory of 3668	2608	explorer.exe	106
PID 2608 wrote to memory of 3668	2608	explorer.exe	106
PID 2608 wrote to memory of 2312	2608	explorer.exe	107
PID 2608 wrote to memory of 2312	2608	explorer.exe	107
PID 2608 wrote to memory of 2312	2608	explorer.exe	107
PID 2608 wrote to memory of 3928	2608	explorer.exe	108
PID 2608 wrote to memory of 3928	2608	explorer.exe	108
PID 2608 wrote to memory of 3928	2608	explorer.exe	108
PID 2608 wrote to memory of 3896	2608	explorer.exe	109
PID 2608 wrote to memory of 3896	2608	explorer.exe	109
PID 2608 wrote to memory of 3896	2608	explorer.exe	109
PID 2608 wrote to memory of 3344	2608	explorer.exe	110
PID 2608 wrote to memory of 3344	2608	explorer.exe	110
PID 2608 wrote to memory of 3344	2608	explorer.exe	110
PID 2608 wrote to memory of 2436	2608	explorer.exe	111
PID 2608 wrote to memory of 2436	2608	explorer.exe	111
PID 2608 wrote to memory of 2436	2608	explorer.exe	111
PID 2608 wrote to memory of 540	2608	explorer.exe	112
PID 2608 wrote to memory of 540	2608	explorer.exe	112
PID 2608 wrote to memory of 540	2608	explorer.exe	112
PID 2608 wrote to memory of 536	2608	explorer.exe	113
PID 2608 wrote to memory of 536	2608	explorer.exe	113
PID 2608 wrote to memory of 536	2608	explorer.exe	113
PID 2608 wrote to memory of 4976	2608	explorer.exe	114
PID 2608 wrote to memory of 4976	2608	explorer.exe	114
PID 2608 wrote to memory of 4976	2608	explorer.exe	114
PID 2608 wrote to memory of 1084	2608	explorer.exe	116
PID 2608 wrote to memory of 1084	2608	explorer.exe	116
PID 2608 wrote to memory of 1084	2608	explorer.exe	116
PID 2608 wrote to memory of 3100	2608	explorer.exe	117
PID 2608 wrote to memory of 3100	2608	explorer.exe	117
PID 2608 wrote to memory of 3100	2608	explorer.exe	117
PID 2608 wrote to memory of 3676	2608	explorer.exe	118
PID 2608 wrote to memory of 3676	2608	explorer.exe	118
PID 2608 wrote to memory of 3676	2608	explorer.exe	118
PID 2608 wrote to memory of 3868	2608	explorer.exe	119
PID 2608 wrote to memory of 3868	2608	explorer.exe	119
PID 2608 wrote to memory of 3868	2608	explorer.exe	119
PID 2608 wrote to memory of 4648	2608	explorer.exe	120
PID 2608 wrote to memory of 4648	2608	explorer.exe	120
PID 2608 wrote to memory of 4648	2608	explorer.exe	120
PID 2608 wrote to memory of 1216	2608	explorer.exe	121

C:\Users\Admin\AppData\Local\Temp\cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cc34d4795411fc659d496b96e1f6e80f_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2916
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3592
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5180
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4656
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2312
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3344
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2436
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:536
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5428
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3468
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4976
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3100
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3676
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3868
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4648
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1216
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2768
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:716
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5580
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1756
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2356
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2628
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3628
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2412
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:912
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5012
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4288
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2848
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1564
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1292
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4908
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5512
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3032
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3140
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6048
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5336
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5456
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5812
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5140
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5660
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5932
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1008
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:5252
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5656
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2036
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1200
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5108
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5408
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5472
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:6112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
e4e98820d350305b6513f57c6c867192

SHA1
bc318a6f7d2a54391373476814665e76bc56eb99

SHA256
2127d2f65a4630e79b046bc63426b2a99c2b755a630245efaa56844218c877de

SHA512
a8f8b6e5241f8f5cdec1083b4af85d6003fcce27f183f5c7eed236dc64f71686c87ab7aed52aa5eeab0894e91ff7314cd0109b8766f8c422533bfaef25fe1e71

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
6ce7b63daa3663e71d18b3924a4ebf9d

SHA1
d0a258fe7257f926ca2ef136c9588a423ad334de

SHA256
d13bb0f4bf9aa0c0bb9c6d51c45900049e723bfbe2976dcaf1b2cc371b49b55f

SHA512
4c30d53db21659b67ecfb3158edc58cd74f111f4a7d86f76622f9331b644571ca17f854cbae05f975518dc3325087baf52af94b906cfdd8e4600857f3ee62afd

Download Submit
memory/464-5539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/468-4002-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-1553-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/540-1552-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/716-2334-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1084-1737-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1216-1969-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1292-79-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1292-84-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2084-2702-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-4658-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-1237-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2340-5402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2356-2412-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2412-2439-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2436-1486-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2468-4761-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-4645-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-5505-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2608-858-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2608-83-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2608-4644-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2628-2426-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2768-2124-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2828-5529-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-67-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3100-1793-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3112-17-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3112-16-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3112-0-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3112-23-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3256-2741-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-1415-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3592-2419-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3592-974-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3628-2427-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3668-1146-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3676-1794-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3740-2026-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3868-1906-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3896-1304-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3928-1303-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4008-5557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4032-3186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-5791-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-5788-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4220-3199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4228-2241-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4312-3917-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-4065-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-1968-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4656-1055-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4656-2430-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4832-5392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-2242-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4900-3129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-1664-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5180-2418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5180-2655-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5212-5744-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5232-5753-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5296-2428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5388-2440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5428-2673-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5436-5120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5440-5424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5448-2452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5472-6001-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5508-2462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5580-2943-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5584-2691-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5608-2474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5612-3275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5612-3408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5652-2963-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5656-5849-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5656-5653-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5664-2713-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5672-2483-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5720-2974-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5736-2495-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5756-2732-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5760-5043-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5776-2985-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5808-3004-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5808-3001-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5844-5550-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5844-5546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5848-5781-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5908-2749-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5960-2758-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5988-3340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6052-2767-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6064-2556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6116-2808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download