pony | c51db4f1ad670b6da51b354d9d556413c11a8a67363d71cbb9bdae018ab575a3

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
Size

2.2MB
MD5

d678696d126ed24a4f3beda3ce937a43
SHA1

82946c2610318f22f2cc8f08f6fb656788347296
SHA256

c51db4f1ad670b6da51b354d9d556413c11a8a67363d71cbb9bdae018ab575a3
SHA512

22803a000eaf9c5d2b127ca016a2745eeff53d49bcca0bb0850040531aa45df2dc2edd2179a5903ba1c3d4c57cfd662721f4c9a5e5c162217b8ea9094469a91d
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZq:0UzeyQMS4DqodCnoe+iitjWwwe

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1868	explorer.exe
3972	explorer.exe
2136	spoolsv.exe
1420	spoolsv.exe
1748	spoolsv.exe
1008	spoolsv.exe
2540	spoolsv.exe
5072	spoolsv.exe
1360	spoolsv.exe
1504	spoolsv.exe
5036	spoolsv.exe
3040	spoolsv.exe
3056	spoolsv.exe
3280	spoolsv.exe
2360	spoolsv.exe
4164	spoolsv.exe
2172	spoolsv.exe
364	spoolsv.exe
3568	spoolsv.exe
3248	spoolsv.exe
4696	spoolsv.exe
1600	spoolsv.exe
4080	spoolsv.exe
3268	spoolsv.exe
1860	spoolsv.exe
5100	spoolsv.exe
2080	spoolsv.exe
740	spoolsv.exe
2908	spoolsv.exe
4012	spoolsv.exe
4620	spoolsv.exe
3580	explorer.exe
1584	spoolsv.exe
4940	spoolsv.exe
1048	spoolsv.exe
2568	spoolsv.exe
3904	spoolsv.exe
1812	spoolsv.exe
2612	explorer.exe
4604	spoolsv.exe
2420	spoolsv.exe
5096	spoolsv.exe
1876	spoolsv.exe
2956	spoolsv.exe
1484	spoolsv.exe
3156	explorer.exe
532	spoolsv.exe
5012	spoolsv.exe
1188	spoolsv.exe
1104	spoolsv.exe
3500	spoolsv.exe
388	spoolsv.exe
1020	explorer.exe
1868	spoolsv.exe
2052	spoolsv.exe
2392	spoolsv.exe
2848	spoolsv.exe
1864	explorer.exe
2608	spoolsv.exe
968	spoolsv.exe
1636	spoolsv.exe
2052	spoolsv.exe
3708	spoolsv.exe
1540	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 49 IoCs

description	pid	Process	procid_target
PID 1076 set thread context of 548	1076	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	95
PID 1868 set thread context of 3972	1868	explorer.exe	99
PID 2136 set thread context of 4620	2136	spoolsv.exe	128
PID 1420 set thread context of 4940	1420	spoolsv.exe	131
PID 1748 set thread context of 1048	1748	spoolsv.exe	132
PID 1008 set thread context of 2568	1008	spoolsv.exe	133
PID 2540 set thread context of 1812	2540	spoolsv.exe	135
PID 5072 set thread context of 4604	5072	spoolsv.exe	137
PID 1360 set thread context of 2420	1360	spoolsv.exe	138
PID 1504 set thread context of 5096	1504	spoolsv.exe	139
PID 5036 set thread context of 1876	5036	spoolsv.exe	140
PID 3040 set thread context of 1484	3040	spoolsv.exe	142
PID 3056 set thread context of 532	3056	spoolsv.exe	144
PID 3280 set thread context of 5012	3280	spoolsv.exe	145
PID 2360 set thread context of 1188	2360	spoolsv.exe	146
PID 4164 set thread context of 1104	4164	spoolsv.exe	147
PID 2172 set thread context of 388	2172	spoolsv.exe	149
PID 364 set thread context of 2052	364	spoolsv.exe	159
PID 3568 set thread context of 2392	3568	spoolsv.exe	153
PID 3248 set thread context of 2848	3248	spoolsv.exe	154
PID 4696 set thread context of 2608	4696	spoolsv.exe	156
PID 1600 set thread context of 1636	1600	spoolsv.exe	158
PID 4080 set thread context of 2052	4080	spoolsv.exe	159
PID 3268 set thread context of 1540	3268	spoolsv.exe	161
PID 1860 set thread context of 1356	1860	spoolsv.exe	163
PID 5100 set thread context of 2272	5100	spoolsv.exe	165
PID 2080 set thread context of 3272	2080	spoolsv.exe	167
PID 740 set thread context of 1476	740	spoolsv.exe	168
PID 2908 set thread context of 4580	2908	spoolsv.exe	170
PID 4012 set thread context of 1300	4012	spoolsv.exe	173
PID 3580 set thread context of 624	3580	explorer.exe	176
PID 1584 set thread context of 2364	1584	spoolsv.exe	178
PID 3904 set thread context of 4400	3904	spoolsv.exe	182
PID 2612 set thread context of 4724	2612	explorer.exe	184
PID 2956 set thread context of 1620	2956	spoolsv.exe	188
PID 3156 set thread context of 1848	3156	explorer.exe	190
PID 3500 set thread context of 2968	3500	spoolsv.exe	192
PID 1020 set thread context of 2480	1020	explorer.exe	196
PID 1868 set thread context of 664	1868	spoolsv.exe	197
PID 1864 set thread context of 2776	1864	explorer.exe	200
PID 968 set thread context of 4424	968	spoolsv.exe	201
PID 4616 set thread context of 1092	4616	explorer.exe	203
PID 3708 set thread context of 2560	3708	spoolsv.exe	204
PID 4236 set thread context of 3584	4236	explorer.exe	207
PID 2724 set thread context of 1684	2724	spoolsv.exe	208
PID 1644 set thread context of 412	1644	spoolsv.exe	211
PID 456 set thread context of 1440	456	explorer.exe	212
PID 1408 set thread context of 2504	1408	spoolsv.exe	213
PID 4556 set thread context of 4872	4556	explorer.exe	214

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
548	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
548	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3972	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
548	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
548	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
4620	spoolsv.exe
4620	spoolsv.exe
4940	spoolsv.exe
4940	spoolsv.exe
1048	spoolsv.exe
1048	spoolsv.exe
2568	spoolsv.exe
2568	spoolsv.exe
1812	spoolsv.exe
1812	spoolsv.exe
4604	spoolsv.exe
4604	spoolsv.exe
2420	spoolsv.exe
2420	spoolsv.exe
5096	spoolsv.exe
5096	spoolsv.exe
1876	spoolsv.exe
1876	spoolsv.exe
1484	spoolsv.exe
1484	spoolsv.exe
532	spoolsv.exe
532	spoolsv.exe
5012	spoolsv.exe
5012	spoolsv.exe
1188	spoolsv.exe
1188	spoolsv.exe
1104	spoolsv.exe
1104	spoolsv.exe
388	spoolsv.exe
388	spoolsv.exe
2052	spoolsv.exe
2052	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2848	spoolsv.exe
2848	spoolsv.exe
2608	spoolsv.exe
2608	spoolsv.exe
1636	spoolsv.exe
1636	spoolsv.exe
2052	spoolsv.exe
2052	spoolsv.exe
1540	spoolsv.exe
1540	spoolsv.exe
1356	spoolsv.exe
1356	spoolsv.exe
2272	spoolsv.exe
2272	spoolsv.exe
3272	spoolsv.exe
3272	spoolsv.exe
1476	spoolsv.exe
1476	spoolsv.exe
4580	spoolsv.exe
4580	spoolsv.exe
1300	spoolsv.exe
1300	spoolsv.exe
624	explorer.exe
624	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4288	1076	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	84
PID 1076 wrote to memory of 4288	1076	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	84
PID 1076 wrote to memory of 548	1076	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	95
PID 1076 wrote to memory of 548	1076	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	95
PID 1076 wrote to memory of 548	1076	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	95
PID 1076 wrote to memory of 548	1076	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	95
PID 1076 wrote to memory of 548	1076	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	95
PID 548 wrote to memory of 1868	548	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	96
PID 548 wrote to memory of 1868	548	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	96
PID 548 wrote to memory of 1868	548	d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe	96
PID 1868 wrote to memory of 3972	1868	explorer.exe	99
PID 1868 wrote to memory of 3972	1868	explorer.exe	99
PID 1868 wrote to memory of 3972	1868	explorer.exe	99
PID 1868 wrote to memory of 3972	1868	explorer.exe	99
PID 1868 wrote to memory of 3972	1868	explorer.exe	99
PID 3972 wrote to memory of 2136	3972	explorer.exe	100
PID 3972 wrote to memory of 2136	3972	explorer.exe	100
PID 3972 wrote to memory of 2136	3972	explorer.exe	100
PID 3972 wrote to memory of 1420	3972	explorer.exe	101
PID 3972 wrote to memory of 1420	3972	explorer.exe	101
PID 3972 wrote to memory of 1420	3972	explorer.exe	101
PID 3972 wrote to memory of 1748	3972	explorer.exe	102
PID 3972 wrote to memory of 1748	3972	explorer.exe	102
PID 3972 wrote to memory of 1748	3972	explorer.exe	102
PID 3972 wrote to memory of 1008	3972	explorer.exe	103
PID 3972 wrote to memory of 1008	3972	explorer.exe	103
PID 3972 wrote to memory of 1008	3972	explorer.exe	103
PID 3972 wrote to memory of 2540	3972	explorer.exe	104
PID 3972 wrote to memory of 2540	3972	explorer.exe	104
PID 3972 wrote to memory of 2540	3972	explorer.exe	104
PID 3972 wrote to memory of 5072	3972	explorer.exe	105
PID 3972 wrote to memory of 5072	3972	explorer.exe	105
PID 3972 wrote to memory of 5072	3972	explorer.exe	105
PID 3972 wrote to memory of 1360	3972	explorer.exe	106
PID 3972 wrote to memory of 1360	3972	explorer.exe	106
PID 3972 wrote to memory of 1360	3972	explorer.exe	106
PID 3972 wrote to memory of 1504	3972	explorer.exe	107
PID 3972 wrote to memory of 1504	3972	explorer.exe	107
PID 3972 wrote to memory of 1504	3972	explorer.exe	107
PID 3972 wrote to memory of 5036	3972	explorer.exe	108
PID 3972 wrote to memory of 5036	3972	explorer.exe	108
PID 3972 wrote to memory of 5036	3972	explorer.exe	108
PID 3972 wrote to memory of 3040	3972	explorer.exe	109
PID 3972 wrote to memory of 3040	3972	explorer.exe	109
PID 3972 wrote to memory of 3040	3972	explorer.exe	109
PID 3972 wrote to memory of 3056	3972	explorer.exe	110
PID 3972 wrote to memory of 3056	3972	explorer.exe	110
PID 3972 wrote to memory of 3056	3972	explorer.exe	110
PID 3972 wrote to memory of 3280	3972	explorer.exe	111
PID 3972 wrote to memory of 3280	3972	explorer.exe	111
PID 3972 wrote to memory of 3280	3972	explorer.exe	111
PID 3972 wrote to memory of 2360	3972	explorer.exe	112
PID 3972 wrote to memory of 2360	3972	explorer.exe	112
PID 3972 wrote to memory of 2360	3972	explorer.exe	112
PID 3972 wrote to memory of 4164	3972	explorer.exe	113
PID 3972 wrote to memory of 4164	3972	explorer.exe	113
PID 3972 wrote to memory of 4164	3972	explorer.exe	113
PID 3972 wrote to memory of 2172	3972	explorer.exe	114
PID 3972 wrote to memory of 2172	3972	explorer.exe	114
PID 3972 wrote to memory of 2172	3972	explorer.exe	114
PID 3972 wrote to memory of 364	3972	explorer.exe	115
PID 3972 wrote to memory of 364	3972	explorer.exe	115
PID 3972 wrote to memory of 364	3972	explorer.exe	115
PID 3972 wrote to memory of 3568	3972	explorer.exe	116

C:\Users\Admin\AppData\Local\Temp\d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d678696d126ed24a4f3beda3ce937a43_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:548
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2136
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1420
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1008
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2612
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5072
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1504
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5036
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3040
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3280
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4164
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:388
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:364
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3568
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3248
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4080
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3268
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1860
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5100
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2080
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2908
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4580
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:456
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4012
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1584
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1072
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3904
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3196
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2956
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1620
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3500
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1868
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:664
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3708
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2560
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2724
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1684
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1644
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1408
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5028
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4548
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4420
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4032
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4744
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1844
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4276
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3244
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
5e88bfccdc749cd8f3460851540eea42

SHA1
96085295e62f3d56c131cddb35e572be68695979

SHA256
2daf643fb35fa8214844de58939a153c69748e154d129823ceae150888a2b1a8

SHA512
e00b45a093677f2d805df976ba5cc732a5c5404dc697cf8908e1c157954c61a9893863e60ac406486b81799e8206110ea9ca99ce66548b207037a86a5da44ccc

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
5ba357d39a0bd9a76e1399aa17d04970

SHA1
7cf8f53796b83dc9ad000cf1feb3d143b635a3d0

SHA256
7ee06b4694187646f31c7c03a2326220c273737ef76f22dadefbbd48fbc14c75

SHA512
384a29136522654eae180b6f4d1aa453950b3f7f82924e1d850a3dac012570cae642dab3f290a00372d3f1878fb891ebb2be16a1f6dab70ecb61c125946187e8

Download Submit
memory/364-1641-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/388-2459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-4623-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-2320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-62-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/548-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/624-3349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/664-4318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/852-4810-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1008-959-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1048-1924-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1076-0-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1076-32-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1076-27-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1092-4356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-2349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-2353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1188-2339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-3328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1360-1132-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1420-887-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1420-1916-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1440-4633-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1476-2969-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-2301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-2436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1504-1208-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1600-1898-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1620-3995-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-3852-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-4527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-4723-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-1926-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1748-923-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1812-2295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1812-2088-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-5306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-5199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-3863-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-5243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-76-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1868-70-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1876-2128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2052-2692-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2136-1819-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2136-741-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2172-1579-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2272-2949-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-1446-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2364-3500-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-3415-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-2548-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-2107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-4187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-4645-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-4642-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-1010-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2560-4496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-1959-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2608-2632-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-4262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2848-2624-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-4019-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-4121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-1266-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3056-1338-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3248-1800-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3268-1953-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3272-2958-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-1389-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3568-1703-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3584-4526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3972-3851-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3972-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3972-688-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4032-5087-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4080-1923-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4164-1447-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4316-4820-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-3560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-4296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-4802-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4604-2097-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4620-1818-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4620-1999-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-1817-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4724-3645-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-4655-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-1914-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-2330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-1265-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5072-1066-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5076-5216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-2120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-2116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download