pony | b2233113449ad82d76661b603b6720bc92d781605522e3cdc05109071d69a9db

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
Size

2.2MB
MD5

d3e9b5a000aa9e5464c4bc4b9f40a08c
SHA1

f33dbfd4ca92723526edca63fa7bdd8c87c0620c
SHA256

b2233113449ad82d76661b603b6720bc92d781605522e3cdc05109071d69a9db
SHA512

ed09990bb08bc3960a0aa1422708d37deaa440030d4a5e7926264aeb9bdbf97565dc6ed617d6784b8a5d1653d95b45049a9f35fc45151b9c5a361edc702f3ef2
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ6:0UzeyQMS4DqodCnoe+iitjWwwu

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2996	explorer.exe
5024	explorer.exe
3488	spoolsv.exe
1408	spoolsv.exe
976	spoolsv.exe
2320	spoolsv.exe
1088	spoolsv.exe
2644	spoolsv.exe
1456	spoolsv.exe
916	spoolsv.exe
2472	spoolsv.exe
3316	spoolsv.exe
1424	spoolsv.exe
2820	spoolsv.exe
4800	spoolsv.exe
4912	spoolsv.exe
3472	spoolsv.exe
2780	spoolsv.exe
4132	spoolsv.exe
4116	spoolsv.exe
3560	spoolsv.exe
4276	spoolsv.exe
5096	spoolsv.exe
3004	spoolsv.exe
2864	spoolsv.exe
1440	spoolsv.exe
3384	spoolsv.exe
4716	spoolsv.exe
232	spoolsv.exe
3640	spoolsv.exe
2900	spoolsv.exe
2292	spoolsv.exe
4364	spoolsv.exe
4168	explorer.exe
3696	spoolsv.exe
2672	spoolsv.exe
1676	spoolsv.exe
3236	spoolsv.exe
2248	spoolsv.exe
624	spoolsv.exe
5112	explorer.exe
1032	spoolsv.exe
4860	spoolsv.exe
2376	spoolsv.exe
456	spoolsv.exe
436	spoolsv.exe
3588	explorer.exe
1636	spoolsv.exe
936	spoolsv.exe
3572	spoolsv.exe
4644	spoolsv.exe
2688	spoolsv.exe
2384	spoolsv.exe
4560	spoolsv.exe
2992	spoolsv.exe
3148	explorer.exe
3988	spoolsv.exe
1580	spoolsv.exe
5064	spoolsv.exe
4308	spoolsv.exe
3476	spoolsv.exe
732	spoolsv.exe
3068	explorer.exe
1836	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 52 IoCs

description	pid	Process	procid_target
PID 4880 set thread context of 3272	4880	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	96
PID 2996 set thread context of 5024	2996	explorer.exe	100
PID 3488 set thread context of 4364	3488	spoolsv.exe	131
PID 1408 set thread context of 3696	1408	spoolsv.exe	133
PID 976 set thread context of 2672	976	spoolsv.exe	134
PID 2320 set thread context of 1676	2320	spoolsv.exe	135
PID 1088 set thread context of 2248	1088	spoolsv.exe	137
PID 2644 set thread context of 624	2644	spoolsv.exe	138
PID 1456 set thread context of 1032	1456	spoolsv.exe	140
PID 916 set thread context of 4860	916	spoolsv.exe	141
PID 2472 set thread context of 2376	2472	spoolsv.exe	142
PID 3316 set thread context of 436	3316	spoolsv.exe	144
PID 1424 set thread context of 1636	1424	spoolsv.exe	146
PID 2820 set thread context of 936	2820	spoolsv.exe	147
PID 4800 set thread context of 3572	4800	spoolsv.exe	148
PID 4912 set thread context of 4644	4912	spoolsv.exe	149
PID 3472 set thread context of 2688	3472	spoolsv.exe	150
PID 2780 set thread context of 2384	2780	spoolsv.exe	151
PID 4132 set thread context of 2992	4132	spoolsv.exe	153
PID 4116 set thread context of 3988	4116	spoolsv.exe	155
PID 3560 set thread context of 1580	3560	spoolsv.exe	156
PID 4276 set thread context of 5064	4276	spoolsv.exe	157
PID 5096 set thread context of 4308	5096	spoolsv.exe	158
PID 3004 set thread context of 732	3004	spoolsv.exe	160
PID 2864 set thread context of 1836	2864	spoolsv.exe	162
PID 1440 set thread context of 2556	1440	spoolsv.exe	163
PID 3384 set thread context of 3564	3384	spoolsv.exe	164
PID 4716 set thread context of 3716	4716	spoolsv.exe	165
PID 232 set thread context of 2696	232	spoolsv.exe	167
PID 3640 set thread context of 724	3640	spoolsv.exe	169
PID 2900 set thread context of 4372	2900	spoolsv.exe	170
PID 2292 set thread context of 4748	2292	spoolsv.exe	174
PID 4168 set thread context of 3984	4168	explorer.exe	176
PID 3236 set thread context of 2996	3236	spoolsv.exe	180
PID 5112 set thread context of 4280	5112	explorer.exe	182
PID 3588 set thread context of 2592	3588	explorer.exe	188
PID 456 set thread context of 4548	456	spoolsv.exe	189
PID 3148 set thread context of 852	3148	explorer.exe	195
PID 4560 set thread context of 4328	4560	spoolsv.exe	196
PID 3068 set thread context of 1808	3068	explorer.exe	201
PID 3476 set thread context of 3976	3476	spoolsv.exe	202
PID 880 set thread context of 1428	880	spoolsv.exe	206
PID 4624 set thread context of 220	4624	explorer.exe	208
PID 5092 set thread context of 1228	5092	spoolsv.exe	210
PID 1268 set thread context of 1180	1268	spoolsv.exe	212
PID 2752 set thread context of 1700	2752	spoolsv.exe	214
PID 4916 set thread context of 3432	4916	explorer.exe	215
PID 840 set thread context of 844	840	spoolsv.exe	216
PID 4440 set thread context of 1404	4440	spoolsv.exe	218
PID 4704 set thread context of 768	4704	spoolsv.exe	221
PID 4108 set thread context of 1056	4108	explorer.exe	223
PID 2188 set thread context of 4784	2188	spoolsv.exe	224

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3272	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
3272	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5024	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3272	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
3272	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
4364	spoolsv.exe
4364	spoolsv.exe
3696	spoolsv.exe
3696	spoolsv.exe
2672	spoolsv.exe
2672	spoolsv.exe
1676	spoolsv.exe
1676	spoolsv.exe
2248	spoolsv.exe
2248	spoolsv.exe
624	spoolsv.exe
624	spoolsv.exe
1032	spoolsv.exe
1032	spoolsv.exe
4860	spoolsv.exe
4860	spoolsv.exe
2376	spoolsv.exe
2376	spoolsv.exe
436	spoolsv.exe
436	spoolsv.exe
1636	spoolsv.exe
1636	spoolsv.exe
936	spoolsv.exe
936	spoolsv.exe
3572	spoolsv.exe
3572	spoolsv.exe
4644	spoolsv.exe
4644	spoolsv.exe
2688	spoolsv.exe
2688	spoolsv.exe
2384	spoolsv.exe
2384	spoolsv.exe
2992	spoolsv.exe
2992	spoolsv.exe
3988	spoolsv.exe
3988	spoolsv.exe
1580	spoolsv.exe
1580	spoolsv.exe
5064	spoolsv.exe
5064	spoolsv.exe
4308	spoolsv.exe
4308	spoolsv.exe
732	spoolsv.exe
732	spoolsv.exe
1836	spoolsv.exe
1836	spoolsv.exe
2556	spoolsv.exe
2556	spoolsv.exe
3564	spoolsv.exe
3564	spoolsv.exe
3716	spoolsv.exe
3716	spoolsv.exe
2696	spoolsv.exe
2696	spoolsv.exe
724	spoolsv.exe
724	spoolsv.exe
4372	spoolsv.exe
4372	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 1448	4880	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	83
PID 4880 wrote to memory of 1448	4880	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	83
PID 4880 wrote to memory of 3272	4880	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	96
PID 4880 wrote to memory of 3272	4880	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	96
PID 4880 wrote to memory of 3272	4880	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	96
PID 4880 wrote to memory of 3272	4880	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	96
PID 4880 wrote to memory of 3272	4880	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	96
PID 3272 wrote to memory of 2996	3272	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	97
PID 3272 wrote to memory of 2996	3272	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	97
PID 3272 wrote to memory of 2996	3272	d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe	97
PID 2996 wrote to memory of 5024	2996	explorer.exe	100
PID 2996 wrote to memory of 5024	2996	explorer.exe	100
PID 2996 wrote to memory of 5024	2996	explorer.exe	100
PID 2996 wrote to memory of 5024	2996	explorer.exe	100
PID 2996 wrote to memory of 5024	2996	explorer.exe	100
PID 5024 wrote to memory of 3488	5024	explorer.exe	101
PID 5024 wrote to memory of 3488	5024	explorer.exe	101
PID 5024 wrote to memory of 3488	5024	explorer.exe	101
PID 5024 wrote to memory of 1408	5024	explorer.exe	102
PID 5024 wrote to memory of 1408	5024	explorer.exe	102
PID 5024 wrote to memory of 1408	5024	explorer.exe	102
PID 5024 wrote to memory of 976	5024	explorer.exe	103
PID 5024 wrote to memory of 976	5024	explorer.exe	103
PID 5024 wrote to memory of 976	5024	explorer.exe	103
PID 5024 wrote to memory of 2320	5024	explorer.exe	104
PID 5024 wrote to memory of 2320	5024	explorer.exe	104
PID 5024 wrote to memory of 2320	5024	explorer.exe	104
PID 5024 wrote to memory of 1088	5024	explorer.exe	105
PID 5024 wrote to memory of 1088	5024	explorer.exe	105
PID 5024 wrote to memory of 1088	5024	explorer.exe	105
PID 5024 wrote to memory of 2644	5024	explorer.exe	106
PID 5024 wrote to memory of 2644	5024	explorer.exe	106
PID 5024 wrote to memory of 2644	5024	explorer.exe	106
PID 5024 wrote to memory of 1456	5024	explorer.exe	107
PID 5024 wrote to memory of 1456	5024	explorer.exe	107
PID 5024 wrote to memory of 1456	5024	explorer.exe	107
PID 5024 wrote to memory of 916	5024	explorer.exe	108
PID 5024 wrote to memory of 916	5024	explorer.exe	108
PID 5024 wrote to memory of 916	5024	explorer.exe	108
PID 5024 wrote to memory of 2472	5024	explorer.exe	109
PID 5024 wrote to memory of 2472	5024	explorer.exe	109
PID 5024 wrote to memory of 2472	5024	explorer.exe	109
PID 5024 wrote to memory of 3316	5024	explorer.exe	110
PID 5024 wrote to memory of 3316	5024	explorer.exe	110
PID 5024 wrote to memory of 3316	5024	explorer.exe	110
PID 5024 wrote to memory of 1424	5024	explorer.exe	111
PID 5024 wrote to memory of 1424	5024	explorer.exe	111
PID 5024 wrote to memory of 1424	5024	explorer.exe	111
PID 5024 wrote to memory of 2820	5024	explorer.exe	112
PID 5024 wrote to memory of 2820	5024	explorer.exe	112
PID 5024 wrote to memory of 2820	5024	explorer.exe	112
PID 5024 wrote to memory of 4800	5024	explorer.exe	113
PID 5024 wrote to memory of 4800	5024	explorer.exe	113
PID 5024 wrote to memory of 4800	5024	explorer.exe	113
PID 5024 wrote to memory of 4912	5024	explorer.exe	114
PID 5024 wrote to memory of 4912	5024	explorer.exe	114
PID 5024 wrote to memory of 4912	5024	explorer.exe	114
PID 5024 wrote to memory of 3472	5024	explorer.exe	115
PID 5024 wrote to memory of 3472	5024	explorer.exe	115
PID 5024 wrote to memory of 3472	5024	explorer.exe	115
PID 5024 wrote to memory of 2780	5024	explorer.exe	116
PID 5024 wrote to memory of 2780	5024	explorer.exe	116
PID 5024 wrote to memory of 2780	5024	explorer.exe	116
PID 5024 wrote to memory of 4132	5024	explorer.exe	117

C:\Users\Admin\AppData\Local\Temp\d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1448
- C:\Users\Admin\AppData\Local\Temp\d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d3e9b5a000aa9e5464c4bc4b9f40a08c_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3272
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3488
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1408
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:976
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2320
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2644
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1456
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:916
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3316
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3588
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1424
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2820
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4800
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4912
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2780
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4132
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4116
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3560
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4276
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:732
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2864
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3384
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4716
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:232
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4624
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3640
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2900
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2292
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4748
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3236
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2996
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:456
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4560
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3476
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:880
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1428
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5092
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1268
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1180
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2752
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1404
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4704
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2188
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:372
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
5cda8224a55a9ec709ba92733efe34f5

SHA1
9b088b3d9e527375e2d3f1da56626100ce1930cf

SHA256
9a9b7b0a4078f4d1a4db53b51f2aafa6a0314ab32f25af1fce5b2aa000a6017c

SHA512
792c39dfa1472517fa31db78a8749672aaa8991a38872ec5ad3f4e1aeb7ce4e043af116424e291208c088de1774c48204d06680babaa508d07506a9a0e39f319

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
d3bd2127d63cd7a916cbcf406c79d472

SHA1
de5db53631e44c6d2dfa753ab90dd5547d69b3ab

SHA256
28f2164da70cc984712e52337e8e5cd472a7799d94340f89666e026f26eaad86

SHA512
74ecafa8be169199778eff703aff514b183214b8427a1841b26b722f9a683e4dd8a4b436cbe9960820fb5a213afc71d04998c932234f706e3057cd3f91604a8b

Download Submit
memory/436-2483-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/436-2374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/624-2357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/624-2199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/724-2924-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/732-2837-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/732-2763-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-5054-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/844-4813-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/844-4808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/916-1303-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/936-2404-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-2406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/976-2037-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/976-998-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1032-2210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-5062-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-1110-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1180-4931-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-4629-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-4633-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-5030-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-2024-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1408-927-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1424-1488-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1428-4670-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-4539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1456-1252-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1580-2615-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-2393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-2396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-2047-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-4790-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-5079-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-4377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1836-2772-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1836-2776-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-2180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-1109-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2320-2045-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2376-2229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-1359-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2556-2783-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-2785-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-3807-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-1191-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2672-2036-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-2435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-2914-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-1787-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2820-1559-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2864-2046-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2992-2682-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-2596-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-3406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-111-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2996-105-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2996-3519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-2035-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3272-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3272-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3272-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-1426-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3432-4801-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-1786-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3488-784-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3488-2016-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3560-1998-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3564-2791-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-2796-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3572-2415-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-2025-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3716-2802-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-4516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-3163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3988-2608-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3988-2604-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4116-1921-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4132-1844-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4276-2023-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4280-3416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-4112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-2015-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-2176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-2936-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-3942-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-2428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-2423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-3265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-3154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-5071-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4800-1616-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4860-2223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-46-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4880-55-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4880-47-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/4880-0-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/4912-1683-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5024-3801-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-707-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-2624-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-2627-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-2034-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download