pony | 51a0e57c566d3568d81a3a3cd64d827ad33dcc6da50673af0d7b2ee1a1aede03

Analysis

max time kernel
146s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
Size

2.2MB
MD5

d58fa833dfed4f4135e803cb099e1e83
SHA1

121137bb27c4e09d4a8c96fb880e03a0f5f5e5de
SHA256

51a0e57c566d3568d81a3a3cd64d827ad33dcc6da50673af0d7b2ee1a1aede03
SHA512

06b92b148a52fcc18c5dd4c2f129af7875b6c2c327e6d207903e9a5cf76065797c71d59d81fb67be3a0c5cfd05a3d9443762cd25009f76f67727d253a7c8daea
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZX:0UzeyQMS4DqodCnoe+iitjWww7

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2728	explorer.exe
2280	explorer.exe
3000	spoolsv.exe
300	spoolsv.exe
2484	spoolsv.exe
2148	spoolsv.exe
236	spoolsv.exe
2932	spoolsv.exe
2700	spoolsv.exe
2304	spoolsv.exe
528	spoolsv.exe
2120	spoolsv.exe
1796	spoolsv.exe
808	spoolsv.exe
2524	spoolsv.exe
3056	spoolsv.exe
948	spoolsv.exe
3028	spoolsv.exe
2160	spoolsv.exe
1804	spoolsv.exe
1724	spoolsv.exe
2780	spoolsv.exe
2876	spoolsv.exe
2900	spoolsv.exe
1748	spoolsv.exe
1084	spoolsv.exe
2572	spoolsv.exe
1696	spoolsv.exe
3060	spoolsv.exe
1688	spoolsv.exe
2992	spoolsv.exe
1876	spoolsv.exe
2260	spoolsv.exe
1972	spoolsv.exe
1892	spoolsv.exe
2852	spoolsv.exe
2544	spoolsv.exe
684	spoolsv.exe
2856	spoolsv.exe
2616	spoolsv.exe
2372	spoolsv.exe
1736	spoolsv.exe
2000	spoolsv.exe
2632	spoolsv.exe
2416	spoolsv.exe
1016	spoolsv.exe
2816	spoolsv.exe
2152	spoolsv.exe
2348	spoolsv.exe
576	spoolsv.exe
1920	spoolsv.exe
2132	spoolsv.exe
1156	spoolsv.exe
2604	spoolsv.exe
540	spoolsv.exe
2548	spoolsv.exe
2748	spoolsv.exe
904	spoolsv.exe
2624	spoolsv.exe
1100	spoolsv.exe
2480	spoolsv.exe
2044	spoolsv.exe
1988	explorer.exe
2128	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
2704	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
2704	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 60 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 2704	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	31
PID 2728 set thread context of 2280	2728	explorer.exe	33
PID 3000 set thread context of 2044	3000	spoolsv.exe	93
PID 300 set thread context of 2128	300	spoolsv.exe	95
PID 2148 set thread context of 2772	2148	spoolsv.exe	96
PID 2484 set thread context of 1348	2484	spoolsv.exe	97
PID 236 set thread context of 1484	236	spoolsv.exe	99
PID 2932 set thread context of 2668	2932	spoolsv.exe	100
PID 2700 set thread context of 3272	2700	spoolsv.exe	101
PID 2304 set thread context of 3288	2304	spoolsv.exe	102
PID 2120 set thread context of 3724	2120	spoolsv.exe	105
PID 528 set thread context of 3828	528	spoolsv.exe	106
PID 808 set thread context of 3936	808	spoolsv.exe	108
PID 1796 set thread context of 3956	1796	spoolsv.exe	110
PID 1100 set thread context of 4028	1100	spoolsv.exe	111
PID 3056 set thread context of 4008	3056	spoolsv.exe	109
PID 2780 set thread context of 4064	2780	spoolsv.exe	112
PID 3028 set thread context of 4040	3028	spoolsv.exe	114
PID 948 set thread context of 4052	948	spoolsv.exe	113
PID 2160 set thread context of 2456	2160	spoolsv.exe	116
PID 2524 set thread context of 4084	2524	spoolsv.exe	115
PID 1804 set thread context of 2676	1804	spoolsv.exe	117
PID 2900 set thread context of 3128	2900	spoolsv.exe	118
PID 2572 set thread context of 3220	2572	spoolsv.exe	119
PID 2876 set thread context of 2368	2876	spoolsv.exe	121
PID 1724 set thread context of 3232	1724	spoolsv.exe	120
PID 1876 set thread context of 2684	1876	spoolsv.exe	122
PID 1688 set thread context of 2940	1688	spoolsv.exe	125
PID 1696 set thread context of 1764	1696	spoolsv.exe	124
PID 3060 set thread context of 2248	3060	spoolsv.exe	123
PID 2616 set thread context of 3412	2616	spoolsv.exe	127
PID 2852 set thread context of 3420	2852	spoolsv.exe	128
PID 1972 set thread context of 3432	1972	spoolsv.exe	129
PID 1084 set thread context of 3340	1084	spoolsv.exe	134
PID 1748 set thread context of 2608	1748	spoolsv.exe	126
PID 2260 set thread context of 3236	2260	spoolsv.exe	130
PID 1736 set thread context of 3364	1736	spoolsv.exe	135
PID 2544 set thread context of 3320	2544	spoolsv.exe	132
PID 684 set thread context of 3324	684	spoolsv.exe	133
PID 2632 set thread context of 3360	2632	spoolsv.exe	136
PID 2992 set thread context of 3448	2992	spoolsv.exe	131
PID 1892 set thread context of 3376	1892	spoolsv.exe	139
PID 2372 set thread context of 3476	2372	spoolsv.exe	140
PID 2416 set thread context of 3052	2416	spoolsv.exe	141
PID 2548 set thread context of 3768	2548	spoolsv.exe	144
PID 576 set thread context of 3708	576	spoolsv.exe	146
PID 2152 set thread context of 3852	2152	spoolsv.exe	147
PID 2132 set thread context of 3696	2132	spoolsv.exe	145
PID 2348 set thread context of 3896	2348	spoolsv.exe	151
PID 2624 set thread context of 2516	2624	spoolsv.exe	153
PID 1920 set thread context of 3888	1920	spoolsv.exe	152
PID 2000 set thread context of 3388	2000	spoolsv.exe	137
PID 904 set thread context of 3716	904	spoolsv.exe	143
PID 2604 set thread context of 2864	2604	spoolsv.exe	142
PID 2856 set thread context of 3332	2856	spoolsv.exe	138
PID 1016 set thread context of 3848	1016	spoolsv.exe	148
PID 2816 set thread context of 3868	2816	spoolsv.exe	150
PID 1156 set thread context of 3824	1156	spoolsv.exe	149
PID 2748 set thread context of 3932	2748	spoolsv.exe	154
PID 540 set thread context of 3948	540	spoolsv.exe	155

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2280	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2704	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
2704	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2044	spoolsv.exe
2044	spoolsv.exe
2128	spoolsv.exe
2128	spoolsv.exe
2772	spoolsv.exe
2772	spoolsv.exe
1348	spoolsv.exe
1348	spoolsv.exe
1484	spoolsv.exe
1484	spoolsv.exe
2668	spoolsv.exe
2668	spoolsv.exe
3272	spoolsv.exe
3272	spoolsv.exe
3288	spoolsv.exe
3288	spoolsv.exe
3724	spoolsv.exe
3724	spoolsv.exe
3828	spoolsv.exe
3828	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
3956	spoolsv.exe
3956	spoolsv.exe
4028	spoolsv.exe
4028	spoolsv.exe
4008	spoolsv.exe
4008	spoolsv.exe
4052	spoolsv.exe
4064	spoolsv.exe
4052	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
2456	spoolsv.exe
2456	spoolsv.exe
4064	spoolsv.exe
4084	spoolsv.exe
4084	spoolsv.exe
2676	spoolsv.exe
2676	spoolsv.exe
3128	spoolsv.exe
3128	spoolsv.exe
3220	spoolsv.exe
3220	spoolsv.exe
2368	spoolsv.exe
2368	spoolsv.exe
3232	spoolsv.exe
3232	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe
2940	spoolsv.exe
2940	spoolsv.exe
3420	spoolsv.exe
3412	spoolsv.exe
3420	spoolsv.exe
3412	spoolsv.exe
1764	spoolsv.exe
1764	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2168	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	30
PID 1348 wrote to memory of 2168	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	30
PID 1348 wrote to memory of 2168	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	30
PID 1348 wrote to memory of 2168	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	30
PID 1348 wrote to memory of 2704	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2704	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2704	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2704	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2704	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2704	1348	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2728	2704	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2728	2704	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2728	2704	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2728	2704	d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe	32
PID 2728 wrote to memory of 2280	2728	explorer.exe	33
PID 2728 wrote to memory of 2280	2728	explorer.exe	33
PID 2728 wrote to memory of 2280	2728	explorer.exe	33
PID 2728 wrote to memory of 2280	2728	explorer.exe	33
PID 2728 wrote to memory of 2280	2728	explorer.exe	33
PID 2728 wrote to memory of 2280	2728	explorer.exe	33
PID 2280 wrote to memory of 3000	2280	explorer.exe	34
PID 2280 wrote to memory of 3000	2280	explorer.exe	34
PID 2280 wrote to memory of 3000	2280	explorer.exe	34
PID 2280 wrote to memory of 3000	2280	explorer.exe	34
PID 2280 wrote to memory of 300	2280	explorer.exe	35
PID 2280 wrote to memory of 300	2280	explorer.exe	35
PID 2280 wrote to memory of 300	2280	explorer.exe	35
PID 2280 wrote to memory of 300	2280	explorer.exe	35
PID 2280 wrote to memory of 2484	2280	explorer.exe	36
PID 2280 wrote to memory of 2484	2280	explorer.exe	36
PID 2280 wrote to memory of 2484	2280	explorer.exe	36
PID 2280 wrote to memory of 2484	2280	explorer.exe	36
PID 2280 wrote to memory of 2148	2280	explorer.exe	37
PID 2280 wrote to memory of 2148	2280	explorer.exe	37
PID 2280 wrote to memory of 2148	2280	explorer.exe	37
PID 2280 wrote to memory of 2148	2280	explorer.exe	37
PID 2280 wrote to memory of 236	2280	explorer.exe	38
PID 2280 wrote to memory of 236	2280	explorer.exe	38
PID 2280 wrote to memory of 236	2280	explorer.exe	38
PID 2280 wrote to memory of 236	2280	explorer.exe	38
PID 2280 wrote to memory of 2932	2280	explorer.exe	39
PID 2280 wrote to memory of 2932	2280	explorer.exe	39
PID 2280 wrote to memory of 2932	2280	explorer.exe	39
PID 2280 wrote to memory of 2932	2280	explorer.exe	39
PID 2280 wrote to memory of 2700	2280	explorer.exe	40
PID 2280 wrote to memory of 2700	2280	explorer.exe	40
PID 2280 wrote to memory of 2700	2280	explorer.exe	40
PID 2280 wrote to memory of 2700	2280	explorer.exe	40
PID 2280 wrote to memory of 2304	2280	explorer.exe	41
PID 2280 wrote to memory of 2304	2280	explorer.exe	41
PID 2280 wrote to memory of 2304	2280	explorer.exe	41
PID 2280 wrote to memory of 2304	2280	explorer.exe	41
PID 2280 wrote to memory of 528	2280	explorer.exe	42
PID 2280 wrote to memory of 528	2280	explorer.exe	42
PID 2280 wrote to memory of 528	2280	explorer.exe	42
PID 2280 wrote to memory of 528	2280	explorer.exe	42
PID 2280 wrote to memory of 2120	2280	explorer.exe	43
PID 2280 wrote to memory of 2120	2280	explorer.exe	43
PID 2280 wrote to memory of 2120	2280	explorer.exe	43
PID 2280 wrote to memory of 2120	2280	explorer.exe	43
PID 2280 wrote to memory of 1796	2280	explorer.exe	44
PID 2280 wrote to memory of 1796	2280	explorer.exe	44
PID 2280 wrote to memory of 1796	2280	explorer.exe	44
PID 2280 wrote to memory of 1796	2280	explorer.exe	44

C:\Users\Admin\AppData\Local\Temp\d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d58fa833dfed4f4135e803cb099e1e83_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3000
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2484
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2148
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:236
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2932
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2700
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3272
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2304
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2120
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1796
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:808
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2524
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3028
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1804
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1724
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2780
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2900
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3060
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1688
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2992
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2260
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2852
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2544
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:684
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2616
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2372
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1736
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2000
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2632
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2416
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2816
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2348
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:576
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1920
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2132
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1156
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2604
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2548
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:904
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2624
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1100
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
\Windows\system\explorer.exe

Filesize
2.2MB

MD5
c79658de1d0f38c97831d8bcb7767bad

SHA1
235c1a81e27238dea005bfce0e2297da0b2290bf

SHA256
e8682f537e48c6617e27271bf63cea2e2947ac1e056668065672e145164cf0f2

SHA512
cf76aa3778c362a72fa1b2d0b17f0c77bdb82d82bbfca74d98c771175e56096af6586f13a314eae4640b23b19a0431409dcadabb58f004154462cc035711f7b2

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.2MB

MD5
a0a6f99f40b625486aa663b6ab186a2a

SHA1
dfc77d34ed04916b90e0a12f5a4b6cde3e1ae2bc

SHA256
c3663b6eb48f6e73da3f8875d760832f95b9cdcd4699e3d0301317a7f8092132

SHA512
cadcb132d6cfd42ea6fe1d569c76103be7e7533542e28e89561e943d5399d548154ca17a8e2f597852274a6701643cbb035737cce57ed70b1ebbebec76669aa5

Download Submit
memory/236-1202-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/300-984-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/528-1510-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/808-1620-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/948-1693-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1084-1897-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1348-28-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1348-2410-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1348-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1348-16-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1484-2441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-2052-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1696-1975-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1724-1840-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1748-1896-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1764-3003-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1796-1617-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1804-1752-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1876-2140-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2044-2474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-2366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-1611-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2128-2378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2148-1101-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2160-1751-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2280-759-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2304-1509-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2368-2919-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-1095-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2516-3114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-1691-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2572-1974-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2668-2458-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-2830-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-2949-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-1419-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2704-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-48-0x0000000000440000-0x00000000004A7000-memory.dmp

Filesize
412KB

Download
memory/2728-71-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2728-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2728-61-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2772-2397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-1841-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2876-1842-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2900-1895-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2932-1303-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2940-2954-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-2053-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3000-883-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3028-1750-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3056-1692-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3060-1976-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3128-2860-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3232-2945-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3272-2573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3272-2532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3340-3004-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3364-3043-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-3140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3388-3132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3412-3000-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3716-3155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-2570-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3848-3178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-3246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3956-2738-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-2754-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-2750-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-2820-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-2793-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download