pony | 5dea14ad224cb50721fbe0a644a6f787c9e3c0b22aae6d0c8fa905d814ab7adf

Analysis

max time kernel
134s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
Size

2.2MB
MD5

d4e6fb165bcffae035c76f044772e507
SHA1

7e67d0d8e85e9291242118e9331f08e714a08ea1
SHA256

5dea14ad224cb50721fbe0a644a6f787c9e3c0b22aae6d0c8fa905d814ab7adf
SHA512

7c3c66a307cc076d208f8e269913d26982e992ccda84d347ffdffcb997904db6d7c68ef6e1fb3293288d64f3c375e132e3f652756c695a514a99ad588d407730
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZf:0UzeyQMS4DqodCnoe+iitjWwwb

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
692	explorer.exe
3148	explorer.exe
1532	spoolsv.exe
676	spoolsv.exe
4396	spoolsv.exe
2000	spoolsv.exe
1332	spoolsv.exe
4348	spoolsv.exe
4304	spoolsv.exe
3448	spoolsv.exe
3876	spoolsv.exe
4380	spoolsv.exe
932	spoolsv.exe
2080	spoolsv.exe
1456	spoolsv.exe
1016	spoolsv.exe
1592	spoolsv.exe
1444	spoolsv.exe
1132	spoolsv.exe
1928	spoolsv.exe
1348	spoolsv.exe
448	spoolsv.exe
1372	spoolsv.exe
1632	spoolsv.exe
2360	spoolsv.exe
4240	spoolsv.exe
1904	spoolsv.exe
2320	spoolsv.exe
3760	spoolsv.exe
1436	spoolsv.exe
4692	spoolsv.exe
1344	spoolsv.exe
3288	spoolsv.exe
3700	explorer.exe
716	spoolsv.exe
4984	spoolsv.exe
2620	spoolsv.exe
1524	spoolsv.exe
1684	spoolsv.exe
4956	explorer.exe
3200	spoolsv.exe
552	spoolsv.exe
4048	spoolsv.exe
3532	spoolsv.exe
4308	spoolsv.exe
1076	explorer.exe
4992	spoolsv.exe
1868	spoolsv.exe
116	spoolsv.exe
3088	spoolsv.exe
1976	spoolsv.exe
2672	explorer.exe
880	spoolsv.exe
4668	spoolsv.exe
3172	spoolsv.exe
4408	spoolsv.exe
404	spoolsv.exe
4164	explorer.exe
2688	spoolsv.exe
264	spoolsv.exe
5024	spoolsv.exe
4332	spoolsv.exe
2004	spoolsv.exe
1700	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 43 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 4896	880	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	94
PID 692 set thread context of 3148	692	explorer.exe	100
PID 1532 set thread context of 3288	1532	spoolsv.exe	131
PID 676 set thread context of 716	676	spoolsv.exe	133
PID 4396 set thread context of 4984	4396	spoolsv.exe	134
PID 2000 set thread context of 2620	2000	spoolsv.exe	135
PID 1332 set thread context of 1684	1332	spoolsv.exe	137
PID 4348 set thread context of 3200	4348	spoolsv.exe	139
PID 4304 set thread context of 552	4304	spoolsv.exe	140
PID 3448 set thread context of 4048	3448	spoolsv.exe	141
PID 3876 set thread context of 4308	3876	spoolsv.exe	143
PID 4380 set thread context of 4992	4380	spoolsv.exe	145
PID 932 set thread context of 1868	932	spoolsv.exe	146
PID 2080 set thread context of 116	2080	spoolsv.exe	147
PID 1456 set thread context of 1976	1456	spoolsv.exe	149
PID 1016 set thread context of 880	1016	spoolsv.exe	151
PID 1592 set thread context of 4668	1592	spoolsv.exe	152
PID 1444 set thread context of 4408	1444	spoolsv.exe	154
PID 1132 set thread context of 404	1132	spoolsv.exe	155
PID 1928 set thread context of 2688	1928	spoolsv.exe	157
PID 1348 set thread context of 264	1348	spoolsv.exe	158
PID 448 set thread context of 5024	448	spoolsv.exe	159
PID 1372 set thread context of 2004	1372	spoolsv.exe	161
PID 1632 set thread context of 5108	1632	spoolsv.exe	163
PID 2360 set thread context of 1244	2360	spoolsv.exe	164
PID 4240 set thread context of 3728	4240	spoolsv.exe	165
PID 1904 set thread context of 432	1904	spoolsv.exe	167
PID 2320 set thread context of 536	2320	spoolsv.exe	168
PID 3760 set thread context of 4732	3760	spoolsv.exe	170
PID 1436 set thread context of 1116	1436	spoolsv.exe	171
PID 4692 set thread context of 4968	4692	spoolsv.exe	173
PID 1344 set thread context of 4132	1344	spoolsv.exe	178
PID 3700 set thread context of 4024	3700	explorer.exe	180
PID 1524 set thread context of 2064	1524	spoolsv.exe	183
PID 4956 set thread context of 4748	4956	explorer.exe	185
PID 3532 set thread context of 4540	3532	spoolsv.exe	189
PID 1076 set thread context of 756	1076	explorer.exe	191
PID 3088 set thread context of 4516	3088	spoolsv.exe	194
PID 2672 set thread context of 4644	2672	explorer.exe	196
PID 3172 set thread context of 3892	3172	spoolsv.exe	199
PID 4164 set thread context of 2508	4164	explorer.exe	201
PID 4332 set thread context of 372	4332	spoolsv.exe	205
PID 1700 set thread context of 3324	1700	explorer.exe	225

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
4896	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4896	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
4896	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3148	explorer.exe
3288	spoolsv.exe
3288	spoolsv.exe
716	spoolsv.exe
716	spoolsv.exe
4984	spoolsv.exe
4984	spoolsv.exe
2620	spoolsv.exe
2620	spoolsv.exe
1684	spoolsv.exe
1684	spoolsv.exe
3200	spoolsv.exe
3200	spoolsv.exe
552	spoolsv.exe
552	spoolsv.exe
4048	spoolsv.exe
4048	spoolsv.exe
4308	spoolsv.exe
4308	spoolsv.exe
4992	spoolsv.exe
4992	spoolsv.exe
1868	spoolsv.exe
1868	spoolsv.exe
116	spoolsv.exe
116	spoolsv.exe
1976	spoolsv.exe
1976	spoolsv.exe
880	spoolsv.exe
880	spoolsv.exe
4668	spoolsv.exe
4668	spoolsv.exe
4408	spoolsv.exe
4408	spoolsv.exe
404	spoolsv.exe
404	spoolsv.exe
2688	spoolsv.exe
2688	spoolsv.exe
264	spoolsv.exe
264	spoolsv.exe
5024	spoolsv.exe
5024	spoolsv.exe
2004	spoolsv.exe
2004	spoolsv.exe
5108	spoolsv.exe
5108	spoolsv.exe
1244	spoolsv.exe
1244	spoolsv.exe
3728	spoolsv.exe
3728	spoolsv.exe
432	spoolsv.exe
432	spoolsv.exe
536	spoolsv.exe
536	spoolsv.exe
4732	spoolsv.exe
4732	spoolsv.exe
1116	spoolsv.exe
1116	spoolsv.exe
4968	spoolsv.exe
4968	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2572	880	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	84
PID 880 wrote to memory of 2572	880	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	84
PID 880 wrote to memory of 4896	880	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	94
PID 880 wrote to memory of 4896	880	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	94
PID 880 wrote to memory of 4896	880	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	94
PID 880 wrote to memory of 4896	880	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	94
PID 880 wrote to memory of 4896	880	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	94
PID 4896 wrote to memory of 692	4896	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	95
PID 4896 wrote to memory of 692	4896	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	95
PID 4896 wrote to memory of 692	4896	d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe	95
PID 692 wrote to memory of 3148	692	explorer.exe	100
PID 692 wrote to memory of 3148	692	explorer.exe	100
PID 692 wrote to memory of 3148	692	explorer.exe	100
PID 692 wrote to memory of 3148	692	explorer.exe	100
PID 692 wrote to memory of 3148	692	explorer.exe	100
PID 3148 wrote to memory of 1532	3148	explorer.exe	101
PID 3148 wrote to memory of 1532	3148	explorer.exe	101
PID 3148 wrote to memory of 1532	3148	explorer.exe	101
PID 3148 wrote to memory of 676	3148	explorer.exe	102
PID 3148 wrote to memory of 676	3148	explorer.exe	102
PID 3148 wrote to memory of 676	3148	explorer.exe	102
PID 3148 wrote to memory of 4396	3148	explorer.exe	103
PID 3148 wrote to memory of 4396	3148	explorer.exe	103
PID 3148 wrote to memory of 4396	3148	explorer.exe	103
PID 3148 wrote to memory of 2000	3148	explorer.exe	104
PID 3148 wrote to memory of 2000	3148	explorer.exe	104
PID 3148 wrote to memory of 2000	3148	explorer.exe	104
PID 3148 wrote to memory of 1332	3148	explorer.exe	105
PID 3148 wrote to memory of 1332	3148	explorer.exe	105
PID 3148 wrote to memory of 1332	3148	explorer.exe	105
PID 3148 wrote to memory of 4348	3148	explorer.exe	106
PID 3148 wrote to memory of 4348	3148	explorer.exe	106
PID 3148 wrote to memory of 4348	3148	explorer.exe	106
PID 3148 wrote to memory of 4304	3148	explorer.exe	107
PID 3148 wrote to memory of 4304	3148	explorer.exe	107
PID 3148 wrote to memory of 4304	3148	explorer.exe	107
PID 3148 wrote to memory of 3448	3148	explorer.exe	108
PID 3148 wrote to memory of 3448	3148	explorer.exe	108
PID 3148 wrote to memory of 3448	3148	explorer.exe	108
PID 3148 wrote to memory of 3876	3148	explorer.exe	109
PID 3148 wrote to memory of 3876	3148	explorer.exe	109
PID 3148 wrote to memory of 3876	3148	explorer.exe	109
PID 3148 wrote to memory of 4380	3148	explorer.exe	110
PID 3148 wrote to memory of 4380	3148	explorer.exe	110
PID 3148 wrote to memory of 4380	3148	explorer.exe	110
PID 3148 wrote to memory of 932	3148	explorer.exe	111
PID 3148 wrote to memory of 932	3148	explorer.exe	111
PID 3148 wrote to memory of 932	3148	explorer.exe	111
PID 3148 wrote to memory of 2080	3148	explorer.exe	112
PID 3148 wrote to memory of 2080	3148	explorer.exe	112
PID 3148 wrote to memory of 2080	3148	explorer.exe	112
PID 3148 wrote to memory of 1456	3148	explorer.exe	113
PID 3148 wrote to memory of 1456	3148	explorer.exe	113
PID 3148 wrote to memory of 1456	3148	explorer.exe	113
PID 3148 wrote to memory of 1016	3148	explorer.exe	114
PID 3148 wrote to memory of 1016	3148	explorer.exe	114
PID 3148 wrote to memory of 1016	3148	explorer.exe	114
PID 3148 wrote to memory of 1592	3148	explorer.exe	115
PID 3148 wrote to memory of 1592	3148	explorer.exe	115
PID 3148 wrote to memory of 1592	3148	explorer.exe	115
PID 3148 wrote to memory of 1444	3148	explorer.exe	116
PID 3148 wrote to memory of 1444	3148	explorer.exe	116
PID 3148 wrote to memory of 1444	3148	explorer.exe	116
PID 3148 wrote to memory of 1132	3148	explorer.exe	117

C:\Users\Admin\AppData\Local\Temp\d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d4e6fb165bcffae035c76f044772e507_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:692
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3288
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:676
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2000
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1332
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4956
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4348
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4304
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4380
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:932
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2080
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1456
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1592
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1444
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1132
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1348
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1372
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1700
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1632
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4240
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1904
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2320
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2368
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3760
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1436
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4692
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4968
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4592
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1344
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4484
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1524
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3892
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4332
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:372
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2176
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4352
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1288
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4488
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4988
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1428
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:544
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4776
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3324
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3744
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1460
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2168
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3948
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
1d9979449fd20514cbbf94ea1ee2f2cf

SHA1
d5dc75845ae84c98c9b47a560eaf89d8eff6e8ec

SHA256
f35bd7082d8df8e521aaa573e968eb0464c5d9975b9294d435671de6bd6b182f

SHA512
1371e5e35a5c66db6388f82c58f76aa4c9d3ab9b10277971bd217e5fbea715ce91654b5ca1fe1df526c19d95fd59d89f67d1ea0cde9851049b5645af36518279

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
fe0f4e32e1cbfde759155276bc600b2f

SHA1
4b2b20ba527db516ff762827d724338184ac6217

SHA256
d5d200b25c70d024f418c7061c0aacce1c6bad2f648d666366c5ba4f055f241d

SHA512
39f25068c381080979815a28a1ae29e4b48fab645b162d05bd89dccbe594247ccb67ec46fe6b57ffeeca1173f67e41658944d45c1fcf6e162b803d26b72cb262

Download Submit
memory/264-2805-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/372-4706-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/372-4607-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/404-2788-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/404-2956-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-3098-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/448-2045-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/536-3159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/552-2275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/552-2279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/676-937-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/676-2050-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/692-95-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/692-101-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/716-2048-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-4052-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/880-42-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/880-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/880-2618-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-47-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/932-1522-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1016-1718-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1060-4840-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1132-1964-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1244-2991-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1332-1070-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1348-2032-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1372-2054-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1428-4947-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-5087-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1444-1882-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1456-1655-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1532-2040-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1532-801-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1592-1815-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1632-2055-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1684-2397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-2256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-2442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-2031-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1976-2771-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-2609-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-1069-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2004-2973-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-3154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-4846-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-1588-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2108-5297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-2068-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2380-4820-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2424-5002-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-4345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2620-2071-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2620-2074-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3148-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3148-4200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3148-731-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3200-2267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3276-5261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3288-2207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3288-2038-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-4634-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-5252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-4830-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-1323-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3728-3004-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-1384-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3948-5422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4024-3605-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-2297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-2320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4132-3713-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4132-3596-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-1207-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4308-2552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4308-2421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-1131-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4352-4731-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-1450-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4396-1003-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4396-2064-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4516-4201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4516-4268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-4120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-4040-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-4211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-2627-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-2632-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4732-3181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-3778-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-5233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-5272-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-5268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-87-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4896-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-2062-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-2430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-2816-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-2985-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download