pony | 99a678c88567f607c450103cffb4aa896539eaf8c9a8023b50771bda379c07eb

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
Size

2.2MB
MD5

cd50fa856f0b044f2f20cff52d4b79fb
SHA1

2b60de9a2448308f7ecb99aa72b07804b598953d
SHA256

99a678c88567f607c450103cffb4aa896539eaf8c9a8023b50771bda379c07eb
SHA512

7c37e3fd20102b4049bb513845834395e9d915ce2b5d6c389f64de22aaddcdfdbb39f7a6f569e45dd66625c7363883555b435fbbe00c65e11dc57a417513f0f1
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZf:0UzeyQMS4DqodCnoe+iitjWwwL

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
3412	explorer.exe
2872	explorer.exe
4212	spoolsv.exe
3232	spoolsv.exe
3260	spoolsv.exe
4972	spoolsv.exe
1428	spoolsv.exe
1184	spoolsv.exe
5100	spoolsv.exe
4988	spoolsv.exe
3960	spoolsv.exe
2700	spoolsv.exe
3548	spoolsv.exe
756	spoolsv.exe
2172	spoolsv.exe
1068	spoolsv.exe
4516	spoolsv.exe
4732	spoolsv.exe
4608	spoolsv.exe
1032	spoolsv.exe
4016	spoolsv.exe
2816	spoolsv.exe
4268	spoolsv.exe
3328	spoolsv.exe
212	spoolsv.exe
1904	spoolsv.exe
1452	spoolsv.exe
4152	spoolsv.exe
1668	spoolsv.exe
3568	spoolsv.exe
2300	spoolsv.exe
3676	spoolsv.exe
1268	spoolsv.exe
1232	spoolsv.exe
5116	spoolsv.exe
1152	spoolsv.exe
4172	spoolsv.exe
4844	spoolsv.exe
4360	explorer.exe
2208	spoolsv.exe
1080	spoolsv.exe
5260	spoolsv.exe
5344	spoolsv.exe
5404	spoolsv.exe
5464	spoolsv.exe
5528	spoolsv.exe
5840	spoolsv.exe
5932	explorer.exe
4572	spoolsv.exe
5176	spoolsv.exe
5320	spoolsv.exe
1028	spoolsv.exe
5392	spoolsv.exe
5408	spoolsv.exe
5664	spoolsv.exe
5824	explorer.exe
6084	spoolsv.exe
6120	spoolsv.exe
2188	spoolsv.exe
5148	spoolsv.exe
5224	spoolsv.exe
4500	spoolsv.exe
5348	spoolsv.exe
4112	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 45 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 4068	3028	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	97
PID 3412 set thread context of 2872	3412	explorer.exe	102
PID 4212 set thread context of 4844	4212	spoolsv.exe	139
PID 3232 set thread context of 2208	3232	spoolsv.exe	141
PID 3260 set thread context of 5260	3260	spoolsv.exe	143
PID 4972 set thread context of 5344	4972	spoolsv.exe	144
PID 1428 set thread context of 5404	1428	spoolsv.exe	145
PID 1184 set thread context of 5464	1184	spoolsv.exe	146
PID 5100 set thread context of 5528	5100	spoolsv.exe	147
PID 4988 set thread context of 5840	4988	spoolsv.exe	148
PID 3960 set thread context of 5176	3960	spoolsv.exe	151
PID 2700 set thread context of 5320	2700	spoolsv.exe	152
PID 3548 set thread context of 1028	3548	spoolsv.exe	153
PID 756 set thread context of 5392	756	spoolsv.exe	154
PID 2172 set thread context of 5408	2172	spoolsv.exe	155
PID 1068 set thread context of 5664	1068	spoolsv.exe	156
PID 4516 set thread context of 6120	4516	spoolsv.exe	159
PID 4732 set thread context of 2188	4732	spoolsv.exe	160
PID 4608 set thread context of 5148	4608	spoolsv.exe	161
PID 1032 set thread context of 5224	1032	spoolsv.exe	162
PID 4016 set thread context of 4500	4016	spoolsv.exe	163
PID 2816 set thread context of 5348	2816	spoolsv.exe	164
PID 4268 set thread context of 4112	4268	spoolsv.exe	165
PID 3328 set thread context of 5680	3328	spoolsv.exe	168
PID 212 set thread context of 5880	212	spoolsv.exe	170
PID 1904 set thread context of 5964	1904	spoolsv.exe	171
PID 1452 set thread context of 5856	1452	spoolsv.exe	172
PID 4152 set thread context of 6036	4152	spoolsv.exe	173
PID 1668 set thread context of 404	1668	spoolsv.exe	174
PID 3568 set thread context of 1472	3568	spoolsv.exe	175
PID 2300 set thread context of 3868	2300	spoolsv.exe	176
PID 3676 set thread context of 5440	3676	spoolsv.exe	178
PID 1268 set thread context of 5836	1268	spoolsv.exe	180
PID 1232 set thread context of 5728	1232	spoolsv.exe	181
PID 5116 set thread context of 5612	5116	spoolsv.exe	182
PID 1152 set thread context of 3968	1152	spoolsv.exe	183
PID 4172 set thread context of 3908	4172	spoolsv.exe	188
PID 4360 set thread context of 3772	4360	explorer.exe	198
PID 1080 set thread context of 3596	1080	spoolsv.exe	200
PID 5932 set thread context of 3588	5932	explorer.exe	210
PID 4572 set thread context of 1956	4572	spoolsv.exe	211
PID 6084 set thread context of 3700	6084	spoolsv.exe	217
PID 5824 set thread context of 1908	5824	explorer.exe	219
PID 5756 set thread context of 5496	5756	explorer.exe	223
PID 2452 set thread context of 1536	2452	spoolsv.exe	224

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
4068	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2872	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4068	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
4068	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
4844	spoolsv.exe
4844	spoolsv.exe
2208	spoolsv.exe
2208	spoolsv.exe
5260	spoolsv.exe
5260	spoolsv.exe
5344	spoolsv.exe
5344	spoolsv.exe
5404	spoolsv.exe
5404	spoolsv.exe
5464	spoolsv.exe
5464	spoolsv.exe
5528	spoolsv.exe
5528	spoolsv.exe
5840	spoolsv.exe
5840	spoolsv.exe
5176	spoolsv.exe
5176	spoolsv.exe
5320	spoolsv.exe
5320	spoolsv.exe
1028	spoolsv.exe
1028	spoolsv.exe
5392	spoolsv.exe
5392	spoolsv.exe
5408	spoolsv.exe
5408	spoolsv.exe
5664	spoolsv.exe
5664	spoolsv.exe
6120	spoolsv.exe
6120	spoolsv.exe
2188	spoolsv.exe
2188	spoolsv.exe
5148	spoolsv.exe
5148	spoolsv.exe
5224	spoolsv.exe
5224	spoolsv.exe
4500	spoolsv.exe
4500	spoolsv.exe
5348	spoolsv.exe
5348	spoolsv.exe
4112	spoolsv.exe
4112	spoolsv.exe
5680	spoolsv.exe
5680	spoolsv.exe
5880	spoolsv.exe
5880	spoolsv.exe
5964	spoolsv.exe
5964	spoolsv.exe
5856	spoolsv.exe
5856	spoolsv.exe
6036	spoolsv.exe
6036	spoolsv.exe
404	spoolsv.exe
404	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
3868	spoolsv.exe
3868	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 456	3028	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	84
PID 3028 wrote to memory of 456	3028	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	84
PID 3028 wrote to memory of 4068	3028	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	97
PID 3028 wrote to memory of 4068	3028	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	97
PID 3028 wrote to memory of 4068	3028	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	97
PID 3028 wrote to memory of 4068	3028	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	97
PID 3028 wrote to memory of 4068	3028	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	97
PID 4068 wrote to memory of 3412	4068	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	98
PID 4068 wrote to memory of 3412	4068	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	98
PID 4068 wrote to memory of 3412	4068	cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe	98
PID 3412 wrote to memory of 2872	3412	explorer.exe	102
PID 3412 wrote to memory of 2872	3412	explorer.exe	102
PID 3412 wrote to memory of 2872	3412	explorer.exe	102
PID 3412 wrote to memory of 2872	3412	explorer.exe	102
PID 3412 wrote to memory of 2872	3412	explorer.exe	102
PID 2872 wrote to memory of 4212	2872	explorer.exe	103
PID 2872 wrote to memory of 4212	2872	explorer.exe	103
PID 2872 wrote to memory of 4212	2872	explorer.exe	103
PID 2872 wrote to memory of 3232	2872	explorer.exe	104
PID 2872 wrote to memory of 3232	2872	explorer.exe	104
PID 2872 wrote to memory of 3232	2872	explorer.exe	104
PID 2872 wrote to memory of 3260	2872	explorer.exe	105
PID 2872 wrote to memory of 3260	2872	explorer.exe	105
PID 2872 wrote to memory of 3260	2872	explorer.exe	105
PID 2872 wrote to memory of 4972	2872	explorer.exe	106
PID 2872 wrote to memory of 4972	2872	explorer.exe	106
PID 2872 wrote to memory of 4972	2872	explorer.exe	106
PID 2872 wrote to memory of 1428	2872	explorer.exe	107
PID 2872 wrote to memory of 1428	2872	explorer.exe	107
PID 2872 wrote to memory of 1428	2872	explorer.exe	107
PID 2872 wrote to memory of 1184	2872	explorer.exe	108
PID 2872 wrote to memory of 1184	2872	explorer.exe	108
PID 2872 wrote to memory of 1184	2872	explorer.exe	108
PID 2872 wrote to memory of 5100	2872	explorer.exe	109
PID 2872 wrote to memory of 5100	2872	explorer.exe	109
PID 2872 wrote to memory of 5100	2872	explorer.exe	109
PID 2872 wrote to memory of 4988	2872	explorer.exe	110
PID 2872 wrote to memory of 4988	2872	explorer.exe	110
PID 2872 wrote to memory of 4988	2872	explorer.exe	110
PID 2872 wrote to memory of 3960	2872	explorer.exe	111
PID 2872 wrote to memory of 3960	2872	explorer.exe	111
PID 2872 wrote to memory of 3960	2872	explorer.exe	111
PID 2872 wrote to memory of 2700	2872	explorer.exe	112
PID 2872 wrote to memory of 2700	2872	explorer.exe	112
PID 2872 wrote to memory of 2700	2872	explorer.exe	112
PID 2872 wrote to memory of 3548	2872	explorer.exe	113
PID 2872 wrote to memory of 3548	2872	explorer.exe	113
PID 2872 wrote to memory of 3548	2872	explorer.exe	113
PID 2872 wrote to memory of 756	2872	explorer.exe	114
PID 2872 wrote to memory of 756	2872	explorer.exe	114
PID 2872 wrote to memory of 756	2872	explorer.exe	114
PID 2872 wrote to memory of 2172	2872	explorer.exe	116
PID 2872 wrote to memory of 2172	2872	explorer.exe	116
PID 2872 wrote to memory of 2172	2872	explorer.exe	116
PID 2872 wrote to memory of 1068	2872	explorer.exe	117
PID 2872 wrote to memory of 1068	2872	explorer.exe	117
PID 2872 wrote to memory of 1068	2872	explorer.exe	117
PID 2872 wrote to memory of 4516	2872	explorer.exe	118
PID 2872 wrote to memory of 4516	2872	explorer.exe	118
PID 2872 wrote to memory of 4516	2872	explorer.exe	118
PID 2872 wrote to memory of 4732	2872	explorer.exe	119
PID 2872 wrote to memory of 4732	2872	explorer.exe	119
PID 2872 wrote to memory of 4732	2872	explorer.exe	119
PID 2872 wrote to memory of 4608	2872	explorer.exe	120

C:\Users\Admin\AppData\Local\Temp\cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:456
- C:\Users\Admin\AppData\Local\Temp\cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cd50fa856f0b044f2f20cff52d4b79fb_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4068
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4212
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4844
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3232
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3260
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1184
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5100
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4988
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5840
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3960
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2700
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3548
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:756
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1068
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5664
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5824
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4516
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4732
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4608
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2816
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4268
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3328
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5680
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:212
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1904
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1452
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3568
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3676
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1268
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1232
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5116
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3908
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2796
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1080
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3596
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1956
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3700
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2452
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1536
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5584
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4316
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4692
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:764
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4192
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3752
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2020
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5672
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:6140
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5780
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5276
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3760
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
2368addf0a6b1fee853819b045ee5b06

SHA1
3f53ff3c16a41913ff70f53298e6a5eb711dee62

SHA256
d1ebaa7174a5a94257954113b8f94e45e5e5842517252e4ca144efcd5db0d507

SHA512
938442df2d02663a6c8dc07a572861b93baedb78d164619ecac86a0d64afe39ba7a274c74e1d5cfc9114bd94f346164c6dee2bb5a339a628f1701d6b8a3da93d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
0ff3064b439ebbea19fe224f84a407b1

SHA1
feaf8fa6d9c8ff41487f8db296f2c6f52c737c14

SHA256
65e8c615837ca4058fdd2b89c3c7f3f80b4da668be950bc4c5f6d72cbe3ea765

SHA512
708dbbec4b5c9ddc33f0ab440b3480330bc7df0044c2cc03cdd3e5f9468e17c0755d6306e5830f1f49fe918fa15a6bbdcf9e2faded65f5b0f0430732646ad6a8

Download Submit
memory/212-2393-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/404-3175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-1703-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1004-5574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1028-2745-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-2174-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1068-1906-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1172-5512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1184-1305-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1428-1304-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1452-2505-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1472-3185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1520-5502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-5313-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1564-5529-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-2408-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1908-4946-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-4718-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-5802-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-5789-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-1839-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2176-5804-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-2407-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2208-2409-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-5580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-1629-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2816-2242-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2872-874-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-4855-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-94-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3028-48-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3028-42-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3028-0-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3028-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3232-1061-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3232-2411-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3260-2508-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3260-1142-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3328-2392-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3412-95-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3412-89-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3548-1630-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3588-4572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-4269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-4211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3700-5058-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3700-4935-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3772-4153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3868-3257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3908-3831-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3960-1568-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3968-3459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-2175-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4068-78-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4068-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4068-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4112-3063-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4212-960-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4212-2400-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4268-2379-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4316-5394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4516-1907-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4608-2101-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4732-2014-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4816-5545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-2399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-2611-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-5598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-1208-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4988-1457-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5100-1386-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5148-2962-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5148-2957-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5176-2723-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5260-2506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5320-2733-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5344-2518-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5392-2755-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5404-2528-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5408-2766-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5440-3530-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5440-3360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5452-5708-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5496-5190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5528-2547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5612-3388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5664-3112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5664-2847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5680-3285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5680-3130-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5728-3376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5780-5654-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5800-5520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5836-3368-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5840-2831-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5852-5489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5880-3139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5964-3147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6036-3166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6044-5406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6120-2938-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download