pony | 4a51609911b3ccee6b531bf59efb36f964b587360e636b9bfb50bdb2dc1b1cfb

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
Size

2.2MB
MD5

da72037307983884ae44de75e3dbba33
SHA1

348ebfe9095f57ce139b2ce64fae706316691095
SHA256

4a51609911b3ccee6b531bf59efb36f964b587360e636b9bfb50bdb2dc1b1cfb
SHA512

f016dc0d0bb849bb396a34cc9edb506d1b0352725b6d65275ae1ddc58bee149746100ed19e931658c05eda07b385b87a3ed62ab982a0014bd52fb64a470e12cf
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZR:0UzeyQMS4DqodCnoe+iitjWwwd

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
4560	explorer.exe
2696	explorer.exe
2000	spoolsv.exe
4924	spoolsv.exe
2148	spoolsv.exe
3944	spoolsv.exe
1048	spoolsv.exe
3128	spoolsv.exe
3840	spoolsv.exe
4640	spoolsv.exe
1984	spoolsv.exe
432	spoolsv.exe
1676	spoolsv.exe
1916	spoolsv.exe
3040	spoolsv.exe
4872	spoolsv.exe
936	spoolsv.exe
888	spoolsv.exe
1936	spoolsv.exe
3976	spoolsv.exe
4388	spoolsv.exe
4748	spoolsv.exe
3052	spoolsv.exe
4804	spoolsv.exe
3140	spoolsv.exe
1196	spoolsv.exe
3604	spoolsv.exe
2276	spoolsv.exe
4908	spoolsv.exe
3528	spoolsv.exe
4572	spoolsv.exe
2040	spoolsv.exe
3360	spoolsv.exe
4300	spoolsv.exe
872	spoolsv.exe
1308	spoolsv.exe
3600	spoolsv.exe
3460	spoolsv.exe
2256	explorer.exe
876	spoolsv.exe
1116	spoolsv.exe
2744	spoolsv.exe
3904	spoolsv.exe
3636	spoolsv.exe
1004	spoolsv.exe
4120	spoolsv.exe
3516	spoolsv.exe
3784	explorer.exe
5036	spoolsv.exe
2372	spoolsv.exe
4124	spoolsv.exe
448	spoolsv.exe
708	spoolsv.exe
1076	spoolsv.exe
2180	spoolsv.exe
2260	explorer.exe
740	spoolsv.exe
608	spoolsv.exe
4776	spoolsv.exe
1480	spoolsv.exe
2812	spoolsv.exe
1648	spoolsv.exe
1776	spoolsv.exe
4568	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 56 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 1492	4428	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	97
PID 4560 set thread context of 2696	4560	explorer.exe	101
PID 2000 set thread context of 3460	2000	spoolsv.exe	137
PID 4924 set thread context of 876	4924	spoolsv.exe	139
PID 2148 set thread context of 1116	2148	spoolsv.exe	140
PID 3944 set thread context of 2744	3944	spoolsv.exe	141
PID 1048 set thread context of 3904	1048	spoolsv.exe	142
PID 3128 set thread context of 1004	3128	spoolsv.exe	144
PID 3840 set thread context of 4120	3840	spoolsv.exe	145
PID 4640 set thread context of 3516	4640	spoolsv.exe	146
PID 1984 set thread context of 5036	1984	spoolsv.exe	148
PID 432 set thread context of 2372	432	spoolsv.exe	149
PID 1676 set thread context of 4124	1676	spoolsv.exe	150
PID 1916 set thread context of 448	1916	spoolsv.exe	151
PID 3040 set thread context of 1076	3040	spoolsv.exe	153
PID 4872 set thread context of 2180	4872	spoolsv.exe	154
PID 936 set thread context of 740	936	spoolsv.exe	156
PID 888 set thread context of 608	888	spoolsv.exe	157
PID 1936 set thread context of 4776	1936	spoolsv.exe	158
PID 3976 set thread context of 1480	3976	spoolsv.exe	159
PID 4388 set thread context of 1648	4388	spoolsv.exe	161
PID 4748 set thread context of 1776	4748	spoolsv.exe	162
PID 3052 set thread context of 4568	3052	spoolsv.exe	163
PID 4804 set thread context of 5108	4804	spoolsv.exe	165
PID 3140 set thread context of 4584	3140	spoolsv.exe	166
PID 1196 set thread context of 1140	1196	spoolsv.exe	167
PID 3604 set thread context of 3180	3604	spoolsv.exe	168
PID 2276 set thread context of 2588	2276	spoolsv.exe	169
PID 4908 set thread context of 388	4908	spoolsv.exe	171
PID 3528 set thread context of 3520	3528	spoolsv.exe	172
PID 4572 set thread context of 1148	4572	spoolsv.exe	174
PID 2040 set thread context of 2464	2040	spoolsv.exe	175
PID 3360 set thread context of 2152	3360	spoolsv.exe	176
PID 4300 set thread context of 3744	4300	spoolsv.exe	177
PID 872 set thread context of 2296	872	spoolsv.exe	179
PID 1308 set thread context of 3544	1308	spoolsv.exe	180
PID 3600 set thread context of 1700	3600	spoolsv.exe	187
PID 2256 set thread context of 1572	2256	explorer.exe	191
PID 3636 set thread context of 2448	3636	spoolsv.exe	194
PID 3784 set thread context of 5096	3784	explorer.exe	197
PID 708 set thread context of 2136	708	spoolsv.exe	201
PID 2260 set thread context of 1336	2260	explorer.exe	206
PID 2812 set thread context of 4720	2812	spoolsv.exe	210
PID 4884 set thread context of 4808	4884	explorer.exe	212
PID 4004 set thread context of 4836	4004	spoolsv.exe	217
PID 2140 set thread context of 1216	2140	explorer.exe	219
PID 3120 set thread context of 1944	3120	spoolsv.exe	220
PID 5080 set thread context of 2304	5080	explorer.exe	221
PID 3648 set thread context of 5012	3648	spoolsv.exe	222
PID 1728 set thread context of 4456	1728	spoolsv.exe	223
PID 3252 set thread context of 4980	3252	spoolsv.exe	225
PID 4260 set thread context of 4348	4260	spoolsv.exe	226
PID 3696 set thread context of 3660	3696	spoolsv.exe	229
PID 1448 set thread context of 2948	1448	explorer.exe	230
PID 1368 set thread context of 2856	1368	spoolsv.exe	231
PID 3912 set thread context of 3212	3912	spoolsv.exe	233

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
1492	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2696	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1492	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
1492	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
3460	spoolsv.exe
3460	spoolsv.exe
876	spoolsv.exe
876	spoolsv.exe
1116	spoolsv.exe
1116	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
3904	spoolsv.exe
3904	spoolsv.exe
1004	spoolsv.exe
1004	spoolsv.exe
4120	spoolsv.exe
4120	spoolsv.exe
3516	spoolsv.exe
3516	spoolsv.exe
5036	spoolsv.exe
5036	spoolsv.exe
2372	spoolsv.exe
2372	spoolsv.exe
4124	spoolsv.exe
4124	spoolsv.exe
448	spoolsv.exe
448	spoolsv.exe
1076	spoolsv.exe
1076	spoolsv.exe
2180	spoolsv.exe
2180	spoolsv.exe
740	spoolsv.exe
740	spoolsv.exe
608	spoolsv.exe
608	spoolsv.exe
4776	spoolsv.exe
4776	spoolsv.exe
1480	spoolsv.exe
1480	spoolsv.exe
1648	spoolsv.exe
1648	spoolsv.exe
1776	spoolsv.exe
1776	spoolsv.exe
4568	spoolsv.exe
4568	spoolsv.exe
5108	spoolsv.exe
5108	spoolsv.exe
4584	spoolsv.exe
4584	spoolsv.exe
1140	spoolsv.exe
1140	spoolsv.exe
3180	spoolsv.exe
3180	spoolsv.exe
2588	spoolsv.exe
2588	spoolsv.exe
388	spoolsv.exe
388	spoolsv.exe
3520	spoolsv.exe
3520	spoolsv.exe
1148	spoolsv.exe
1148	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 3532	4428	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	85
PID 4428 wrote to memory of 3532	4428	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	85
PID 4428 wrote to memory of 1492	4428	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	97
PID 4428 wrote to memory of 1492	4428	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	97
PID 4428 wrote to memory of 1492	4428	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	97
PID 4428 wrote to memory of 1492	4428	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	97
PID 4428 wrote to memory of 1492	4428	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	97
PID 1492 wrote to memory of 4560	1492	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	98
PID 1492 wrote to memory of 4560	1492	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	98
PID 1492 wrote to memory of 4560	1492	da72037307983884ae44de75e3dbba33_JaffaCakes118.exe	98
PID 4560 wrote to memory of 2696	4560	explorer.exe	101
PID 4560 wrote to memory of 2696	4560	explorer.exe	101
PID 4560 wrote to memory of 2696	4560	explorer.exe	101
PID 4560 wrote to memory of 2696	4560	explorer.exe	101
PID 4560 wrote to memory of 2696	4560	explorer.exe	101
PID 2696 wrote to memory of 2000	2696	explorer.exe	102
PID 2696 wrote to memory of 2000	2696	explorer.exe	102
PID 2696 wrote to memory of 2000	2696	explorer.exe	102
PID 2696 wrote to memory of 4924	2696	explorer.exe	103
PID 2696 wrote to memory of 4924	2696	explorer.exe	103
PID 2696 wrote to memory of 4924	2696	explorer.exe	103
PID 2696 wrote to memory of 2148	2696	explorer.exe	104
PID 2696 wrote to memory of 2148	2696	explorer.exe	104
PID 2696 wrote to memory of 2148	2696	explorer.exe	104
PID 2696 wrote to memory of 3944	2696	explorer.exe	105
PID 2696 wrote to memory of 3944	2696	explorer.exe	105
PID 2696 wrote to memory of 3944	2696	explorer.exe	105
PID 2696 wrote to memory of 1048	2696	explorer.exe	106
PID 2696 wrote to memory of 1048	2696	explorer.exe	106
PID 2696 wrote to memory of 1048	2696	explorer.exe	106
PID 2696 wrote to memory of 3128	2696	explorer.exe	107
PID 2696 wrote to memory of 3128	2696	explorer.exe	107
PID 2696 wrote to memory of 3128	2696	explorer.exe	107
PID 2696 wrote to memory of 3840	2696	explorer.exe	108
PID 2696 wrote to memory of 3840	2696	explorer.exe	108
PID 2696 wrote to memory of 3840	2696	explorer.exe	108
PID 2696 wrote to memory of 4640	2696	explorer.exe	109
PID 2696 wrote to memory of 4640	2696	explorer.exe	109
PID 2696 wrote to memory of 4640	2696	explorer.exe	109
PID 2696 wrote to memory of 1984	2696	explorer.exe	110
PID 2696 wrote to memory of 1984	2696	explorer.exe	110
PID 2696 wrote to memory of 1984	2696	explorer.exe	110
PID 2696 wrote to memory of 432	2696	explorer.exe	111
PID 2696 wrote to memory of 432	2696	explorer.exe	111
PID 2696 wrote to memory of 432	2696	explorer.exe	111
PID 2696 wrote to memory of 1676	2696	explorer.exe	112
PID 2696 wrote to memory of 1676	2696	explorer.exe	112
PID 2696 wrote to memory of 1676	2696	explorer.exe	112
PID 2696 wrote to memory of 1916	2696	explorer.exe	113
PID 2696 wrote to memory of 1916	2696	explorer.exe	113
PID 2696 wrote to memory of 1916	2696	explorer.exe	113
PID 2696 wrote to memory of 3040	2696	explorer.exe	114
PID 2696 wrote to memory of 3040	2696	explorer.exe	114
PID 2696 wrote to memory of 3040	2696	explorer.exe	114
PID 2696 wrote to memory of 4872	2696	explorer.exe	115
PID 2696 wrote to memory of 4872	2696	explorer.exe	115
PID 2696 wrote to memory of 4872	2696	explorer.exe	115
PID 2696 wrote to memory of 936	2696	explorer.exe	116
PID 2696 wrote to memory of 936	2696	explorer.exe	116
PID 2696 wrote to memory of 936	2696	explorer.exe	116
PID 2696 wrote to memory of 888	2696	explorer.exe	117
PID 2696 wrote to memory of 888	2696	explorer.exe	117
PID 2696 wrote to memory of 888	2696	explorer.exe	117
PID 2696 wrote to memory of 1936	2696	explorer.exe	118

C:\Users\Admin\AppData\Local\Temp\da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da72037307983884ae44de75e3dbba33_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3532
- C:\Users\Admin\AppData\Local\Temp\da72037307983884ae44de75e3dbba33_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\da72037307983884ae44de75e3dbba33_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1492
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2000
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4924
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2148
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3944
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1048
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3128
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4640
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3516
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3784
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1984
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:432
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1676
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1916
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3040
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4872
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2260
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:936
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:888
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1936
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3976
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4388
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3052
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4568
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4804
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3140
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1196
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3604
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2276
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4908
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3520
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2040
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:872
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1308
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1448
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:708
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2812
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4836
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3120
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3648
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1728
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3252
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4260
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1368
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3912
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3212
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2884
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2160
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4656
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5104
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:864
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
e6e65bd051c6220350e01e534a35cbd7

SHA1
10881eab5f50521b11a98a003731ae2db12f6f56

SHA256
d3b07c8d9c9849697fbf97102b5eac76c16eee40e7d0fc564e2cd0b4cbc42e7c

SHA512
3ffeb620aad741f0808bc2d6cd078ab34550a13c76f983790c1bf41204b249985345ab4d0ca91510401e51c83f493f24429898997cdc01b6f7972cc91b713085

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
3c97b9532386e7ea12ddae90d072bf09

SHA1
0aac9a05fde08033743a450f180f625222e663fc

SHA256
cc425309bbfefbe618cbfde904ed3c9a3876faaef61cb2df1f10a229c44f4e29

SHA512
fdf047cac0583e3ec1198b35c670d5fc951111ae1c0ded27df76f2fc58c2f4df4b9e3fa1578178082f6d7a1910ded43679340d420e1e703c611df40e9e9496b9

Download Submit
memory/388-3125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-1590-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/448-2608-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/608-2813-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/740-2805-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/864-6188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-2342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-1920-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/936-1919-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1004-2460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1048-1205-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1076-2692-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-2354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1140-3052-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1148-3221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1148-3224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1196-2341-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1216-5355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1336-4784-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-2831-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-4069-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-2917-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-1591-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1700-3847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-3977-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-2927-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-1663-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1936-1987-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1944-5364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-1459-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2000-901-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2000-2332-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2136-4512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2148-2355-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2148-1073-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2152-3240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2160-5977-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-2794-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2296-3333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2304-5378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-2589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2448-4289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-3230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-3234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-4815-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-835-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-2365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-5655-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-5646-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-1725-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3052-2249-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3128-1206-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3140-2328-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3212-5958-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-5822-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-5903-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-5986-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3460-2550-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-2776-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-2563-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3520-3214-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3520-3377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3544-3516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-2353-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3660-5635-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-1317-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3944-1149-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3976-2100-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4120-2471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4124-2598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-5733-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-5541-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-2167-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4428-39-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4428-31-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4428-0-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4428-32-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4456-5439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-81-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4560-75-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4568-3021-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-3040-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-1393-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4720-5111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-4981-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-2168-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4804-2327-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4808-5078-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-5342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-1842-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4924-982-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4924-2344-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4980-5468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-5384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-2578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-4251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-3031-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download