pony | ac08c720f771caaeba7f13c1250ffc79082f054308693b65ba8c1a5000f5d587

Analysis

max time kernel
127s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2024, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
Size

2.2MB
MD5

cc6dca4e14fcb01f44fa7d1440799994
SHA1

22a7863368b54df7d4242dd88843d1ad14450d14
SHA256

ac08c720f771caaeba7f13c1250ffc79082f054308693b65ba8c1a5000f5d587
SHA512

4ec993689d65c5cb2d1b9548978128f678aece4a0400cec5aa0f76fd7122e77bab3ae10b4bd009d7fa9cb088b6a3727c40e01172b81fa77b3885452ade64e54f
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZp:0UzeyQMS4DqodCnoe+iitjWwwV

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
4268	explorer.exe
3776	explorer.exe
3572	spoolsv.exe
3680	spoolsv.exe
3280	spoolsv.exe
1996	spoolsv.exe
3748	spoolsv.exe
4380	spoolsv.exe
5024	spoolsv.exe
3144	spoolsv.exe
2252	spoolsv.exe
1132	spoolsv.exe
2852	spoolsv.exe
4644	spoolsv.exe
1844	spoolsv.exe
4568	spoolsv.exe
3032	spoolsv.exe
2816	spoolsv.exe
740	spoolsv.exe
2824	spoolsv.exe
4596	spoolsv.exe
3852	spoolsv.exe
3616	spoolsv.exe
1800	spoolsv.exe
4876	spoolsv.exe
1716	spoolsv.exe
4220	spoolsv.exe
3204	spoolsv.exe
4632	spoolsv.exe
2428	spoolsv.exe
4872	spoolsv.exe
456	spoolsv.exe
3484	explorer.exe
4360	spoolsv.exe
4032	spoolsv.exe
1028	spoolsv.exe
1216	spoolsv.exe
1052	spoolsv.exe
2640	spoolsv.exe
1624	spoolsv.exe
4688	spoolsv.exe
1788	spoolsv.exe
224	spoolsv.exe
3068	spoolsv.exe
4212	spoolsv.exe
2408	explorer.exe
2440	spoolsv.exe
4864	spoolsv.exe
1220	explorer.exe
5004	spoolsv.exe
4216	spoolsv.exe
4348	spoolsv.exe
1704	spoolsv.exe
1580	spoolsv.exe
2244	explorer.exe
4940	spoolsv.exe
1224	spoolsv.exe
4892	spoolsv.exe
3940	explorer.exe
1840	spoolsv.exe
2140	spoolsv.exe
1560	spoolsv.exe
4192	explorer.exe
3532	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 41 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 4788	3532	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	96
PID 4268 set thread context of 3776	4268	explorer.exe	101
PID 3572 set thread context of 456	3572	spoolsv.exe	132
PID 3680 set thread context of 4360	3680	spoolsv.exe	134
PID 3280 set thread context of 4032	3280	spoolsv.exe	135
PID 1996 set thread context of 1028	1996	spoolsv.exe	136
PID 3748 set thread context of 1216	3748	spoolsv.exe	137
PID 4380 set thread context of 1052	4380	spoolsv.exe	138
PID 5024 set thread context of 2640	5024	spoolsv.exe	139
PID 2252 set thread context of 1788	2252	spoolsv.exe	142
PID 1132 set thread context of 224	1132	spoolsv.exe	143
PID 2852 set thread context of 4212	2852	spoolsv.exe	145
PID 4644 set thread context of 4864	4644	spoolsv.exe	148
PID 1844 set thread context of 5004	1844	spoolsv.exe	150
PID 4568 set thread context of 4216	4568	spoolsv.exe	151
PID 3032 set thread context of 4348	3032	spoolsv.exe	152
PID 2816 set thread context of 1580	2816	spoolsv.exe	154
PID 740 set thread context of 4940	740	spoolsv.exe	156
PID 2824 set thread context of 4892	2824	spoolsv.exe	158
PID 4596 set thread context of 2140	4596	spoolsv.exe	161
PID 3852 set thread context of 1560	3852	spoolsv.exe	162
PID 3616 set thread context of 3532	3616	spoolsv.exe	165
PID 1800 set thread context of 4652	1800	spoolsv.exe	167
PID 4876 set thread context of 3396	4876	spoolsv.exe	168
PID 1716 set thread context of 4756	1716	spoolsv.exe	169
PID 4220 set thread context of 3024	4220	spoolsv.exe	171
PID 3204 set thread context of 4480	3204	spoolsv.exe	173
PID 4632 set thread context of 3744	4632	spoolsv.exe	174
PID 2428 set thread context of 3448	2428	spoolsv.exe	175
PID 4872 set thread context of 1476	4872	spoolsv.exe	189
PID 3484 set thread context of 4624	3484	explorer.exe	193
PID 1624 set thread context of 1044	1624	spoolsv.exe	194
PID 3068 set thread context of 1196	3068	spoolsv.exe	197
PID 2408 set thread context of 2412	2408	explorer.exe	198
PID 2440 set thread context of 5080	2440	spoolsv.exe	204
PID 1220 set thread context of 668	1220	explorer.exe	206
PID 1704 set thread context of 5620	1704	spoolsv.exe	208
PID 2244 set thread context of 5700	2244	explorer.exe	210
PID 1224 set thread context of 5780	1224	spoolsv.exe	211
PID 3940 set thread context of 6140	3940	explorer.exe	213
PID 1840 set thread context of 5444	1840	spoolsv.exe	214

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4788	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
4788	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3776	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4788	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
4788	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
3776	explorer.exe
456	spoolsv.exe
456	spoolsv.exe
4360	spoolsv.exe
4360	spoolsv.exe
4032	spoolsv.exe
4032	spoolsv.exe
1028	spoolsv.exe
1028	spoolsv.exe
1216	spoolsv.exe
1216	spoolsv.exe
1052	spoolsv.exe
1052	spoolsv.exe
2640	spoolsv.exe
2640	spoolsv.exe
4688	spoolsv.exe
4688	spoolsv.exe
1788	spoolsv.exe
1788	spoolsv.exe
224	spoolsv.exe
224	spoolsv.exe
4212	spoolsv.exe
4212	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
5004	spoolsv.exe
5004	spoolsv.exe
4216	spoolsv.exe
4216	spoolsv.exe
4348	spoolsv.exe
4348	spoolsv.exe
1580	spoolsv.exe
1580	spoolsv.exe
4940	spoolsv.exe
4940	spoolsv.exe
4892	spoolsv.exe
4892	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
3532	spoolsv.exe
3532	spoolsv.exe
4652	spoolsv.exe
4652	spoolsv.exe
3396	spoolsv.exe
3396	spoolsv.exe
4756	spoolsv.exe
4756	spoolsv.exe
3024	spoolsv.exe
3024	spoolsv.exe
4480	spoolsv.exe
4480	spoolsv.exe
3744	spoolsv.exe
3744	spoolsv.exe
3448	spoolsv.exe
3448	spoolsv.exe
1476	spoolsv.exe
1476	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 3080	3532	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	84
PID 3532 wrote to memory of 3080	3532	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	84
PID 3532 wrote to memory of 4788	3532	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	96
PID 3532 wrote to memory of 4788	3532	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	96
PID 3532 wrote to memory of 4788	3532	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	96
PID 3532 wrote to memory of 4788	3532	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	96
PID 3532 wrote to memory of 4788	3532	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	96
PID 4788 wrote to memory of 4268	4788	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	97
PID 4788 wrote to memory of 4268	4788	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	97
PID 4788 wrote to memory of 4268	4788	cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe	97
PID 4268 wrote to memory of 3776	4268	explorer.exe	101
PID 4268 wrote to memory of 3776	4268	explorer.exe	101
PID 4268 wrote to memory of 3776	4268	explorer.exe	101
PID 4268 wrote to memory of 3776	4268	explorer.exe	101
PID 4268 wrote to memory of 3776	4268	explorer.exe	101
PID 3776 wrote to memory of 3572	3776	explorer.exe	102
PID 3776 wrote to memory of 3572	3776	explorer.exe	102
PID 3776 wrote to memory of 3572	3776	explorer.exe	102
PID 3776 wrote to memory of 3680	3776	explorer.exe	103
PID 3776 wrote to memory of 3680	3776	explorer.exe	103
PID 3776 wrote to memory of 3680	3776	explorer.exe	103
PID 3776 wrote to memory of 3280	3776	explorer.exe	104
PID 3776 wrote to memory of 3280	3776	explorer.exe	104
PID 3776 wrote to memory of 3280	3776	explorer.exe	104
PID 3776 wrote to memory of 1996	3776	explorer.exe	105
PID 3776 wrote to memory of 1996	3776	explorer.exe	105
PID 3776 wrote to memory of 1996	3776	explorer.exe	105
PID 3776 wrote to memory of 3748	3776	explorer.exe	106
PID 3776 wrote to memory of 3748	3776	explorer.exe	106
PID 3776 wrote to memory of 3748	3776	explorer.exe	106
PID 3776 wrote to memory of 4380	3776	explorer.exe	107
PID 3776 wrote to memory of 4380	3776	explorer.exe	107
PID 3776 wrote to memory of 4380	3776	explorer.exe	107
PID 3776 wrote to memory of 5024	3776	explorer.exe	108
PID 3776 wrote to memory of 5024	3776	explorer.exe	108
PID 3776 wrote to memory of 5024	3776	explorer.exe	108
PID 3776 wrote to memory of 3144	3776	explorer.exe	109
PID 3776 wrote to memory of 3144	3776	explorer.exe	109
PID 3776 wrote to memory of 3144	3776	explorer.exe	109
PID 3776 wrote to memory of 2252	3776	explorer.exe	110
PID 3776 wrote to memory of 2252	3776	explorer.exe	110
PID 3776 wrote to memory of 2252	3776	explorer.exe	110
PID 3776 wrote to memory of 1132	3776	explorer.exe	111
PID 3776 wrote to memory of 1132	3776	explorer.exe	111
PID 3776 wrote to memory of 1132	3776	explorer.exe	111
PID 3776 wrote to memory of 2852	3776	explorer.exe	112
PID 3776 wrote to memory of 2852	3776	explorer.exe	112
PID 3776 wrote to memory of 2852	3776	explorer.exe	112
PID 3776 wrote to memory of 4644	3776	explorer.exe	113
PID 3776 wrote to memory of 4644	3776	explorer.exe	113
PID 3776 wrote to memory of 4644	3776	explorer.exe	113
PID 3776 wrote to memory of 1844	3776	explorer.exe	114
PID 3776 wrote to memory of 1844	3776	explorer.exe	114
PID 3776 wrote to memory of 1844	3776	explorer.exe	114
PID 3776 wrote to memory of 4568	3776	explorer.exe	115
PID 3776 wrote to memory of 4568	3776	explorer.exe	115
PID 3776 wrote to memory of 4568	3776	explorer.exe	115
PID 3776 wrote to memory of 3032	3776	explorer.exe	117
PID 3776 wrote to memory of 3032	3776	explorer.exe	117
PID 3776 wrote to memory of 3032	3776	explorer.exe	117
PID 3776 wrote to memory of 2816	3776	explorer.exe	118
PID 3776 wrote to memory of 2816	3776	explorer.exe	118
PID 3776 wrote to memory of 2816	3776	explorer.exe	118
PID 3776 wrote to memory of 740	3776	explorer.exe	119

C:\Users\Admin\AppData\Local\Temp\cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3080
- C:\Users\Admin\AppData\Local\Temp\cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cc6dca4e14fcb01f44fa7d1440799994_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4788
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:456
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3484
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3680
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3280
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4380
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5024
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2252
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1132
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2852
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4212
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4644
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1844
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4568
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2816
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2244
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2824
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4892
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4596
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3852
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3616
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1800
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1716
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4220
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3204
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4632
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1456
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4872
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1624
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3068
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4956
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1704
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1224
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1416
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5168
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5392
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3112
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4392
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2800
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2792
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4608
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2424
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5864
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2484
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4072
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:864
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2192
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
fa01411e61804d889371efddfc1b6734

SHA1
90bf16b269c185c799517bd20e8c414dd96a91ad

SHA256
3057833dbecd4bc7ea2d8ced156b1570aefeed5e375ad443be86eb76075ade14

SHA512
7322e9b36d5e1acf5e05d37e2efda301d7cca96d034305857f3618218c74aeba31d1bedfc97bb3566f0f22238ef86f45cc51b62b8507923678153160be1b3bcd

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
aaad4edae0e7aae9358c9811f80809fe

SHA1
18bb09f4268055983531a2e5b5f08a77dfbdbb80

SHA256
c079cbe5da8bfb26a5bfdc02dfc44f0073f628f3b37a6207bcd3e0ff758819ff

SHA512
15892668295e4f0e28f817e9664ddc1e735149a563d6f55c62600c3fbd4fa9c8f1c1270bd3e663c6feacde89fffd316fbfb16264d938e0d59652f8ecd0e2104c

Download Submit
memory/224-2022-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/224-2018-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/456-1838-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/456-2060-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/668-4328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/740-1677-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1028-1870-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-4177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-4018-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1132-1181-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1196-4103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1476-3864-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1476-3956-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-2953-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-2799-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-2478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-2638-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1760-5076-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1788-2010-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1800-1857-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1844-1361-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1996-864-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2140-2727-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2140-2724-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-5458-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-5611-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-1105-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2412-4115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-1895-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-1607-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2824-1753-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2852-1247-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3024-2977-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-1606-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3144-998-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3280-863-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3280-1859-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3396-2902-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3420-5114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3420-5110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-0-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3532-22-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3532-30-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3532-2819-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3532-2821-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3572-797-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3572-1839-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3616-1847-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3680-798-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3680-1846-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3688-5066-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-3082-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3748-865-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3776-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3776-771-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3852-1832-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4032-1858-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4212-2289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-2325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-76-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4268-82-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4348-2337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-1848-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-996-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4568-1552-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4596-1830-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4624-4011-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-1293-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4652-2894-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-5296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-2001-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4756-3131-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4756-2970-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-68-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4864-2305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-2440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-2650-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-2780-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-2489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-2314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-997-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5080-4316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-4442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5168-4809-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5168-4927-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5172-5018-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5392-5252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5392-5027-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5420-5037-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5436-5277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5444-4728-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5480-5538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5536-5306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5620-4460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5620-4588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5652-5044-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5700-4470-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5780-4479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5780-4477-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5864-5285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5864-5436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5876-4785-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5920-5311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5968-5378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6048-5125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6140-4556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download