pony | ca8efd27cc54a5c7126c7027a54742fd0d4c07cb81858d44cbb15029e5819211

Analysis

max time kernel
146s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
Size

2.2MB
MD5

e4ed802138185d95c623ca44cc3c9cbf
SHA1

11270678fa687c57464f41656c86569c58314b49
SHA256

ca8efd27cc54a5c7126c7027a54742fd0d4c07cb81858d44cbb15029e5819211
SHA512

bde6f44eda3c8ec801251da6e55358ce4a314202d070e92fcf5fb3936e9852e5cfb5ff092c6dc6b2a9db4044e1d71b292915922c95a865ec34631805ea1fea4b
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZd:0UzeyQMS4DqodCnoe+iitjWwwR

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2080	explorer.exe
2348	explorer.exe
3116	spoolsv.exe
5084	spoolsv.exe
2088	spoolsv.exe
2352	spoolsv.exe
4432	spoolsv.exe
3680	spoolsv.exe
2336	spoolsv.exe
4772	spoolsv.exe
3664	spoolsv.exe
3636	spoolsv.exe
2616	spoolsv.exe
2980	spoolsv.exe
2224	spoolsv.exe
4760	spoolsv.exe
3560	spoolsv.exe
3244	spoolsv.exe
956	spoolsv.exe
1804	spoolsv.exe
768	spoolsv.exe
3388	spoolsv.exe
4920	spoolsv.exe
3348	spoolsv.exe
2332	spoolsv.exe
1624	spoolsv.exe
4040	spoolsv.exe
1388	spoolsv.exe
1032	spoolsv.exe
1504	spoolsv.exe
552	spoolsv.exe
892	spoolsv.exe
4116	spoolsv.exe
1920	spoolsv.exe
4692	spoolsv.exe
1508	spoolsv.exe
3752	spoolsv.exe
1684	explorer.exe
3344	spoolsv.exe
324	spoolsv.exe
2036	spoolsv.exe
3548	spoolsv.exe
1612	spoolsv.exe
3340	spoolsv.exe
3836	spoolsv.exe
3136	spoolsv.exe
4328	explorer.exe
2744	spoolsv.exe
4992	spoolsv.exe
3280	spoolsv.exe
4660	spoolsv.exe
4428	spoolsv.exe
4724	spoolsv.exe
3520	spoolsv.exe
4104	explorer.exe
2424	spoolsv.exe
2776	spoolsv.exe
4940	spoolsv.exe
1724	spoolsv.exe
1240	spoolsv.exe
1748	spoolsv.exe
1324	spoolsv.exe
5024	spoolsv.exe
2652	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 55 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 1308	2736	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	92
PID 2080 set thread context of 2348	2080	explorer.exe	96
PID 3116 set thread context of 3752	3116	spoolsv.exe	131
PID 5084 set thread context of 3344	5084	spoolsv.exe	133
PID 2088 set thread context of 324	2088	spoolsv.exe	134
PID 2352 set thread context of 2036	2352	spoolsv.exe	135
PID 4432 set thread context of 1612	4432	spoolsv.exe	137
PID 3680 set thread context of 3340	3680	spoolsv.exe	138
PID 2336 set thread context of 3836	2336	spoolsv.exe	139
PID 4772 set thread context of 3136	4772	spoolsv.exe	140
PID 3664 set thread context of 2744	3664	spoolsv.exe	142
PID 3636 set thread context of 4992	3636	spoolsv.exe	143
PID 2616 set thread context of 3280	2616	spoolsv.exe	144
PID 2980 set thread context of 4660	2980	spoolsv.exe	145
PID 2224 set thread context of 4724	2224	spoolsv.exe	147
PID 4760 set thread context of 3520	4760	spoolsv.exe	148
PID 3560 set thread context of 2424	3560	spoolsv.exe	150
PID 3244 set thread context of 2776	3244	spoolsv.exe	151
PID 956 set thread context of 4940	956	spoolsv.exe	152
PID 1804 set thread context of 1724	1804	spoolsv.exe	153
PID 768 set thread context of 1240	768	spoolsv.exe	154
PID 3388 set thread context of 1324	3388	spoolsv.exe	156
PID 4920 set thread context of 5024	4920	spoolsv.exe	157
PID 3348 set thread context of 2652	3348	spoolsv.exe	158
PID 2332 set thread context of 4488	2332	spoolsv.exe	160
PID 1624 set thread context of 1888	1624	spoolsv.exe	161
PID 4040 set thread context of 3248	4040	spoolsv.exe	162
PID 1388 set thread context of 4656	1388	spoolsv.exe	163
PID 1032 set thread context of 1824	1032	spoolsv.exe	165
PID 1504 set thread context of 1908	1504	spoolsv.exe	166
PID 552 set thread context of 4924	552	spoolsv.exe	168
PID 892 set thread context of 2400	892	spoolsv.exe	169
PID 4116 set thread context of 4036	4116	spoolsv.exe	170
PID 1920 set thread context of 4876	1920	spoolsv.exe	171
PID 4692 set thread context of 2992	4692	spoolsv.exe	173
PID 1508 set thread context of 1140	1508	spoolsv.exe	179
PID 1684 set thread context of 4612	1684	explorer.exe	183
PID 3548 set thread context of 2752	3548	spoolsv.exe	186
PID 4328 set thread context of 1972	4328	explorer.exe	188
PID 4428 set thread context of 4108	4428	spoolsv.exe	194
PID 4104 set thread context of 4932	4104	explorer.exe	196
PID 1748 set thread context of 1628	1748	spoolsv.exe	202
PID 5100 set thread context of 3936	5100	explorer.exe	204
PID 3564 set thread context of 4440	3564	spoolsv.exe	208
PID 4044 set thread context of 320	4044	explorer.exe	210
PID 4968 set thread context of 4288	4968	spoolsv.exe	211
PID 1736 set thread context of 3128	1736	explorer.exe	212
PID 3596 set thread context of 3780	3596	spoolsv.exe	213
PID 3904 set thread context of 928	3904	spoolsv.exe	214
PID 3448 set thread context of 1848	3448	spoolsv.exe	215
PID 1876 set thread context of 4668	1876	spoolsv.exe	216
PID 888 set thread context of 2436	888	explorer.exe	217
PID 1548 set thread context of 1008	1548	spoolsv.exe	218
PID 4784 set thread context of 728	4784	spoolsv.exe	220
PID 4424 set thread context of 872	4424	spoolsv.exe	224

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1308	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
1308	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2348	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1308	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
1308	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
3752	spoolsv.exe
3752	spoolsv.exe
3344	spoolsv.exe
3344	spoolsv.exe
324	spoolsv.exe
324	spoolsv.exe
2036	spoolsv.exe
2036	spoolsv.exe
1612	spoolsv.exe
1612	spoolsv.exe
3340	spoolsv.exe
3340	spoolsv.exe
3836	spoolsv.exe
3836	spoolsv.exe
3136	spoolsv.exe
3136	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
4992	spoolsv.exe
4992	spoolsv.exe
3280	spoolsv.exe
3280	spoolsv.exe
4660	spoolsv.exe
4660	spoolsv.exe
4724	spoolsv.exe
4724	spoolsv.exe
3520	spoolsv.exe
3520	spoolsv.exe
2424	spoolsv.exe
2424	spoolsv.exe
2776	spoolsv.exe
2776	spoolsv.exe
4940	spoolsv.exe
4940	spoolsv.exe
1724	spoolsv.exe
1724	spoolsv.exe
1240	spoolsv.exe
1240	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
5024	spoolsv.exe
5024	spoolsv.exe
2652	spoolsv.exe
2652	spoolsv.exe
4488	spoolsv.exe
4488	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
3248	spoolsv.exe
3248	spoolsv.exe
4656	spoolsv.exe
4656	spoolsv.exe
1824	spoolsv.exe
1824	spoolsv.exe
1908	spoolsv.exe
1908	spoolsv.exe
4924	spoolsv.exe
4924	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 3032	2736	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	83
PID 2736 wrote to memory of 3032	2736	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	83
PID 2736 wrote to memory of 1308	2736	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	92
PID 2736 wrote to memory of 1308	2736	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	92
PID 2736 wrote to memory of 1308	2736	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	92
PID 2736 wrote to memory of 1308	2736	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	92
PID 2736 wrote to memory of 1308	2736	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	92
PID 1308 wrote to memory of 2080	1308	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	93
PID 1308 wrote to memory of 2080	1308	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	93
PID 1308 wrote to memory of 2080	1308	e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe	93
PID 2080 wrote to memory of 2348	2080	explorer.exe	96
PID 2080 wrote to memory of 2348	2080	explorer.exe	96
PID 2080 wrote to memory of 2348	2080	explorer.exe	96
PID 2080 wrote to memory of 2348	2080	explorer.exe	96
PID 2080 wrote to memory of 2348	2080	explorer.exe	96
PID 2348 wrote to memory of 3116	2348	explorer.exe	97
PID 2348 wrote to memory of 3116	2348	explorer.exe	97
PID 2348 wrote to memory of 3116	2348	explorer.exe	97
PID 2348 wrote to memory of 5084	2348	explorer.exe	98
PID 2348 wrote to memory of 5084	2348	explorer.exe	98
PID 2348 wrote to memory of 5084	2348	explorer.exe	98
PID 2348 wrote to memory of 2088	2348	explorer.exe	99
PID 2348 wrote to memory of 2088	2348	explorer.exe	99
PID 2348 wrote to memory of 2088	2348	explorer.exe	99
PID 2348 wrote to memory of 2352	2348	explorer.exe	100
PID 2348 wrote to memory of 2352	2348	explorer.exe	100
PID 2348 wrote to memory of 2352	2348	explorer.exe	100
PID 2348 wrote to memory of 4432	2348	explorer.exe	101
PID 2348 wrote to memory of 4432	2348	explorer.exe	101
PID 2348 wrote to memory of 4432	2348	explorer.exe	101
PID 2348 wrote to memory of 3680	2348	explorer.exe	102
PID 2348 wrote to memory of 3680	2348	explorer.exe	102
PID 2348 wrote to memory of 3680	2348	explorer.exe	102
PID 2348 wrote to memory of 2336	2348	explorer.exe	103
PID 2348 wrote to memory of 2336	2348	explorer.exe	103
PID 2348 wrote to memory of 2336	2348	explorer.exe	103
PID 2348 wrote to memory of 4772	2348	explorer.exe	104
PID 2348 wrote to memory of 4772	2348	explorer.exe	104
PID 2348 wrote to memory of 4772	2348	explorer.exe	104
PID 2348 wrote to memory of 3664	2348	explorer.exe	105
PID 2348 wrote to memory of 3664	2348	explorer.exe	105
PID 2348 wrote to memory of 3664	2348	explorer.exe	105
PID 2348 wrote to memory of 3636	2348	explorer.exe	106
PID 2348 wrote to memory of 3636	2348	explorer.exe	106
PID 2348 wrote to memory of 3636	2348	explorer.exe	106
PID 2348 wrote to memory of 2616	2348	explorer.exe	107
PID 2348 wrote to memory of 2616	2348	explorer.exe	107
PID 2348 wrote to memory of 2616	2348	explorer.exe	107
PID 2348 wrote to memory of 2980	2348	explorer.exe	108
PID 2348 wrote to memory of 2980	2348	explorer.exe	108
PID 2348 wrote to memory of 2980	2348	explorer.exe	108
PID 2348 wrote to memory of 2224	2348	explorer.exe	109
PID 2348 wrote to memory of 2224	2348	explorer.exe	109
PID 2348 wrote to memory of 2224	2348	explorer.exe	109
PID 2348 wrote to memory of 4760	2348	explorer.exe	110
PID 2348 wrote to memory of 4760	2348	explorer.exe	110
PID 2348 wrote to memory of 4760	2348	explorer.exe	110
PID 2348 wrote to memory of 3560	2348	explorer.exe	111
PID 2348 wrote to memory of 3560	2348	explorer.exe	111
PID 2348 wrote to memory of 3560	2348	explorer.exe	111
PID 2348 wrote to memory of 3244	2348	explorer.exe	112
PID 2348 wrote to memory of 3244	2348	explorer.exe	112
PID 2348 wrote to memory of 3244	2348	explorer.exe	112
PID 2348 wrote to memory of 956	2348	explorer.exe	113

C:\Users\Admin\AppData\Local\Temp\e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e4ed802138185d95c623ca44cc3c9cbf_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1308
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3116
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3752
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1684
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2352
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4432
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3680
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2336
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4772
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3136
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4328
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3664
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2616
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2224
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4760
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3520
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4104
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3560
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3244
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:956
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1804
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:768
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3388
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4920
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3348
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2332
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1624
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4040
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1388
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1504
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4044
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4116
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1920
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4692
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2992
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1508
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1140
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:888
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3548
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2752
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4108
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3564
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4440
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3596
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3904
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1548
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4784
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:728
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4424
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:872
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:8
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3532
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
1e043201f71c5826ab788d0c8a79928a

SHA1
08bf41eefd7350ffa9cf5163b656927965af4987

SHA256
418caaab0a717916dc6668d1b1faa848bdcfe4ad3f1ac3479fae68ffbf2f5da8

SHA512
a404df60b8533ab1fa895d8e7ca6b9c9c1ff998614a2abe4222cf3e2e5884bd719bb1da911e0f3f6c9f37ef2818455271e7527755b441f8eeb2373c3c352b657

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
bc41f31e69f840b955778a2a54f449af

SHA1
f3e9ac18ba0491b4ccc66e99d392924c64f986ec

SHA256
8829e4cf9ae4a7a7401ac76811542064f9ef4a63a26bd533020f72063bc5417f

SHA512
37a52ee4f59d9f3d2a0981ae30edd2aef35e5064bf12be6087ecf3015e557881fd72b11c45d9f1d361ba037467bc3aa7c4a378184a49d335df4b8c3020c8a631

Download Submit
memory/320-5131-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/324-2272-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/324-2268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/728-5492-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-2127-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/872-5653-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-1942-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1008-5203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1140-3762-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-2724-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1308-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1308-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1308-87-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/1308-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1324-2824-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1612-2375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1624-2266-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1628-4889-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-4957-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-2049-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1824-3066-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1824-3061-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-5174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-2958-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-3139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-4097-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-2284-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-2279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-101-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2080-95-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2088-2269-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2088-1068-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2224-1710-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2332-2253-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2336-1392-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2348-813-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-4468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-1169-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2400-3157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-3153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2424-2684-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2616-1642-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2652-3123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2652-2941-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2736-0-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2736-43-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2736-36-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2736-37-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2744-2467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-4013-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-2698-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-2694-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2980-1709-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2992-3442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3116-2245-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3116-911-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3128-5151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3136-2458-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3136-2657-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-1941-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3248-2967-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-2489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3340-2387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-2259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-2255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3348-2242-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3388-2199-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3520-2674-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-5671-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-1869-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3636-1575-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3664-1499-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3680-1311-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3752-2440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3836-2410-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-4899-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3988-5680-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-3165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-4465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4432-1240-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4440-5120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-5261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-2948-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-3853-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4656-2976-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4660-2531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-5184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-2580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-2584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-1802-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4772-1393-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4876-3173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-2241-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4924-3148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-4527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-2705-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-2481-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-2477-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-2838-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-1067-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5084-2256-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download