pony | fc2bd0b39f01ed36e96d43f4d63137f3fb7c17fc03e819c054e3febbaf82cd10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
Size

2.2MB
MD5

e55fbe5aa46323c519c58d63d5a8b3be
SHA1

ac37dfedf00f423168472b8041b63e16331efaed
SHA256

fc2bd0b39f01ed36e96d43f4d63137f3fb7c17fc03e819c054e3febbaf82cd10
SHA512

487fb0592b884c80ef2077fb2ce6556df6f024ac95b4ab1661a8aac7c784385106d669af1cbe45a31837e6ad166f9ef3d017e618759c37e060ab0c53578a8f24
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZw:0UzeyQMS4DqodCnoe+iitjWwwc

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
4632	explorer.exe
4600	explorer.exe
824	spoolsv.exe
1296	spoolsv.exe
4876	spoolsv.exe
3852	spoolsv.exe
4944	spoolsv.exe
3712	spoolsv.exe
3388	spoolsv.exe
884	spoolsv.exe
740	spoolsv.exe
2460	spoolsv.exe
1980	spoolsv.exe
3692	spoolsv.exe
3152	spoolsv.exe
1052	spoolsv.exe
4700	spoolsv.exe
4796	spoolsv.exe
1312	spoolsv.exe
4632	spoolsv.exe
3168	spoolsv.exe
5060	spoolsv.exe
1668	spoolsv.exe
4452	spoolsv.exe
632	spoolsv.exe
1972	spoolsv.exe
544	spoolsv.exe
3344	spoolsv.exe
1640	spoolsv.exe
1872	spoolsv.exe
1040	spoolsv.exe
2300	spoolsv.exe
1664	spoolsv.exe
460	spoolsv.exe
444	explorer.exe
3008	spoolsv.exe
3056	spoolsv.exe
3788	spoolsv.exe
1516	spoolsv.exe
920	spoolsv.exe
380	spoolsv.exe
2872	spoolsv.exe
3512	explorer.exe
4372	spoolsv.exe
1308	spoolsv.exe
3860	spoolsv.exe
2036	spoolsv.exe
1400	spoolsv.exe
3376	spoolsv.exe
3532	explorer.exe
2412	spoolsv.exe
2016	spoolsv.exe
3808	spoolsv.exe
4476	spoolsv.exe
2920	spoolsv.exe
1752	explorer.exe
4376	spoolsv.exe
4760	spoolsv.exe
2064	spoolsv.exe
3288	spoolsv.exe
472	spoolsv.exe
4256	spoolsv.exe
516	explorer.exe
2856	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 55 IoCs

description	pid	Process	procid_target
PID 3568 set thread context of 3888	3568	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	91
PID 4632 set thread context of 4600	4632	explorer.exe	95
PID 824 set thread context of 460	824	spoolsv.exe	127
PID 1296 set thread context of 3008	1296	spoolsv.exe	129
PID 4876 set thread context of 3056	4876	spoolsv.exe	130
PID 3852 set thread context of 3788	3852	spoolsv.exe	131
PID 4944 set thread context of 920	4944	spoolsv.exe	133
PID 3712 set thread context of 380	3712	spoolsv.exe	134
PID 3388 set thread context of 2872	3388	spoolsv.exe	135
PID 884 set thread context of 4372	884	spoolsv.exe	137
PID 740 set thread context of 1308	740	spoolsv.exe	138
PID 2460 set thread context of 2036	2460	spoolsv.exe	140
PID 1980 set thread context of 1400	1980	spoolsv.exe	141
PID 3692 set thread context of 3376	3692	spoolsv.exe	142
PID 3152 set thread context of 2412	3152	spoolsv.exe	144
PID 1052 set thread context of 2016	1052	spoolsv.exe	145
PID 4700 set thread context of 4476	4700	spoolsv.exe	147
PID 4796 set thread context of 2920	4796	spoolsv.exe	148
PID 1312 set thread context of 4376	1312	spoolsv.exe	150
PID 4632 set thread context of 4760	4632	spoolsv.exe	151
PID 3168 set thread context of 3288	3168	spoolsv.exe	153
PID 5060 set thread context of 472	5060	spoolsv.exe	154
PID 1668 set thread context of 4256	1668	spoolsv.exe	155
PID 4452 set thread context of 2856	4452	spoolsv.exe	157
PID 632 set thread context of 4928	632	spoolsv.exe	158
PID 1972 set thread context of 2168	1972	spoolsv.exe	160
PID 544 set thread context of 4416	544	spoolsv.exe	161
PID 3344 set thread context of 4864	3344	spoolsv.exe	162
PID 1640 set thread context of 3440	1640	spoolsv.exe	163
PID 1872 set thread context of 2028	1872	spoolsv.exe	165
PID 1040 set thread context of 4496	1040	spoolsv.exe	167
PID 2300 set thread context of 3336	2300	spoolsv.exe	168
PID 1664 set thread context of 4804	1664	spoolsv.exe	172
PID 444 set thread context of 1328	444	explorer.exe	175
PID 1516 set thread context of 3164	1516	spoolsv.exe	177
PID 3512 set thread context of 1292	3512	explorer.exe	180
PID 3860 set thread context of 4120	3860	spoolsv.exe	184
PID 3532 set thread context of 744	3532	explorer.exe	186
PID 3808 set thread context of 1536	3808	spoolsv.exe	189
PID 1752 set thread context of 1876	1752	explorer.exe	192
PID 2064 set thread context of 3120	2064	spoolsv.exe	196
PID 516 set thread context of 1188	516	explorer.exe	200
PID 4512 set thread context of 4124	4512	spoolsv.exe	203
PID 3480 set thread context of 3132	3480	spoolsv.exe	206
PID 3076 set thread context of 3828	3076	explorer.exe	207
PID 1564 set thread context of 2456	1564	spoolsv.exe	208
PID 644 set thread context of 2100	644	spoolsv.exe	210
PID 636 set thread context of 4716	636	spoolsv.exe	213
PID 1508 set thread context of 5068	1508	explorer.exe	215
PID 1968 set thread context of 2904	1968	spoolsv.exe	217
PID 1448 set thread context of 4556	1448	spoolsv.exe	218
PID 4340 set thread context of 4592	4340	explorer.exe	221
PID 3396 set thread context of 3612	3396	spoolsv.exe	222
PID 2616 set thread context of 1740	2616	spoolsv.exe	223
PID 5044 set thread context of 2932	5044	spoolsv.exe	225

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3888	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
3888	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4600	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3888	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
3888	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
4600	explorer.exe
460	spoolsv.exe
460	spoolsv.exe
3008	spoolsv.exe
3008	spoolsv.exe
3056	spoolsv.exe
3056	spoolsv.exe
3788	spoolsv.exe
3788	spoolsv.exe
920	spoolsv.exe
920	spoolsv.exe
380	spoolsv.exe
380	spoolsv.exe
2872	spoolsv.exe
2872	spoolsv.exe
4372	spoolsv.exe
4372	spoolsv.exe
1308	spoolsv.exe
1308	spoolsv.exe
2036	spoolsv.exe
2036	spoolsv.exe
1400	spoolsv.exe
1400	spoolsv.exe
3376	spoolsv.exe
3376	spoolsv.exe
2412	spoolsv.exe
2412	spoolsv.exe
2016	spoolsv.exe
2016	spoolsv.exe
4476	spoolsv.exe
4476	spoolsv.exe
2920	spoolsv.exe
2920	spoolsv.exe
4376	spoolsv.exe
4376	spoolsv.exe
4760	spoolsv.exe
4760	spoolsv.exe
3288	spoolsv.exe
3288	spoolsv.exe
472	spoolsv.exe
472	spoolsv.exe
4256	spoolsv.exe
4256	spoolsv.exe
2856	spoolsv.exe
2856	spoolsv.exe
4928	spoolsv.exe
4928	spoolsv.exe
2168	spoolsv.exe
2168	spoolsv.exe
4416	spoolsv.exe
4416	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
3440	spoolsv.exe
3440	spoolsv.exe
2028	spoolsv.exe
2028	spoolsv.exe
4496	spoolsv.exe
4496	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4608	3568	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	82
PID 3568 wrote to memory of 4608	3568	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	82
PID 3568 wrote to memory of 3888	3568	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	91
PID 3568 wrote to memory of 3888	3568	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	91
PID 3568 wrote to memory of 3888	3568	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	91
PID 3568 wrote to memory of 3888	3568	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	91
PID 3568 wrote to memory of 3888	3568	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	91
PID 3888 wrote to memory of 4632	3888	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	92
PID 3888 wrote to memory of 4632	3888	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	92
PID 3888 wrote to memory of 4632	3888	e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe	92
PID 4632 wrote to memory of 4600	4632	explorer.exe	95
PID 4632 wrote to memory of 4600	4632	explorer.exe	95
PID 4632 wrote to memory of 4600	4632	explorer.exe	95
PID 4632 wrote to memory of 4600	4632	explorer.exe	95
PID 4632 wrote to memory of 4600	4632	explorer.exe	95
PID 4600 wrote to memory of 824	4600	explorer.exe	96
PID 4600 wrote to memory of 824	4600	explorer.exe	96
PID 4600 wrote to memory of 824	4600	explorer.exe	96
PID 4600 wrote to memory of 1296	4600	explorer.exe	97
PID 4600 wrote to memory of 1296	4600	explorer.exe	97
PID 4600 wrote to memory of 1296	4600	explorer.exe	97
PID 4600 wrote to memory of 4876	4600	explorer.exe	98
PID 4600 wrote to memory of 4876	4600	explorer.exe	98
PID 4600 wrote to memory of 4876	4600	explorer.exe	98
PID 4600 wrote to memory of 3852	4600	explorer.exe	99
PID 4600 wrote to memory of 3852	4600	explorer.exe	99
PID 4600 wrote to memory of 3852	4600	explorer.exe	99
PID 4600 wrote to memory of 4944	4600	explorer.exe	100
PID 4600 wrote to memory of 4944	4600	explorer.exe	100
PID 4600 wrote to memory of 4944	4600	explorer.exe	100
PID 4600 wrote to memory of 3712	4600	explorer.exe	101
PID 4600 wrote to memory of 3712	4600	explorer.exe	101
PID 4600 wrote to memory of 3712	4600	explorer.exe	101
PID 4600 wrote to memory of 3388	4600	explorer.exe	102
PID 4600 wrote to memory of 3388	4600	explorer.exe	102
PID 4600 wrote to memory of 3388	4600	explorer.exe	102
PID 4600 wrote to memory of 884	4600	explorer.exe	103
PID 4600 wrote to memory of 884	4600	explorer.exe	103
PID 4600 wrote to memory of 884	4600	explorer.exe	103
PID 4600 wrote to memory of 740	4600	explorer.exe	104
PID 4600 wrote to memory of 740	4600	explorer.exe	104
PID 4600 wrote to memory of 740	4600	explorer.exe	104
PID 4600 wrote to memory of 2460	4600	explorer.exe	105
PID 4600 wrote to memory of 2460	4600	explorer.exe	105
PID 4600 wrote to memory of 2460	4600	explorer.exe	105
PID 4600 wrote to memory of 1980	4600	explorer.exe	106
PID 4600 wrote to memory of 1980	4600	explorer.exe	106
PID 4600 wrote to memory of 1980	4600	explorer.exe	106
PID 4600 wrote to memory of 3692	4600	explorer.exe	107
PID 4600 wrote to memory of 3692	4600	explorer.exe	107
PID 4600 wrote to memory of 3692	4600	explorer.exe	107
PID 4600 wrote to memory of 3152	4600	explorer.exe	108
PID 4600 wrote to memory of 3152	4600	explorer.exe	108
PID 4600 wrote to memory of 3152	4600	explorer.exe	108
PID 4600 wrote to memory of 1052	4600	explorer.exe	109
PID 4600 wrote to memory of 1052	4600	explorer.exe	109
PID 4600 wrote to memory of 1052	4600	explorer.exe	109
PID 4600 wrote to memory of 4700	4600	explorer.exe	110
PID 4600 wrote to memory of 4700	4600	explorer.exe	110
PID 4600 wrote to memory of 4700	4600	explorer.exe	110
PID 4600 wrote to memory of 4796	4600	explorer.exe	111
PID 4600 wrote to memory of 4796	4600	explorer.exe	111
PID 4600 wrote to memory of 4796	4600	explorer.exe	111
PID 4600 wrote to memory of 1312	4600	explorer.exe	112

C:\Users\Admin\AppData\Local\Temp\e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e55fbe5aa46323c519c58d63d5a8b3be_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3888
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:824
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:460
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:444
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1296
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3852
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4944
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3712
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3388
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:884
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2460
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3692
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1052
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4700
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4796
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1752
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1312
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4632
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3168
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5060
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4256
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:516
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4452
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:632
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:544
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3344
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1640
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3440
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:3076
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1872
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1040
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1664
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4804
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1508
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1516
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:4340
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3860
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3808
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4512
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4124
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3480
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1564
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2456
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:644
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4716
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4556
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2616
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5044
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2932
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
0aac73857509e23b559f69a802eb52d7

SHA1
5035211c092cdaf1f7088c09c691ae96893dca97

SHA256
2a687c29a88800920df9adb44b50dd82148c0029d1e06c6afdfd3f84f8acbf80

SHA512
56ee5ab5298750ef3b6bd3ec485009d13a15bace42796ca7dea676d604f326ccc8291970fef7188eb217d95fb2e52304e980930ba8731d1b99f0716eeb4b698d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
8cd16aaad0359d3612c94c07fe771078

SHA1
9e6d10f240ea263a58f7362886774cd638e2f3ef

SHA256
cc9ce9aeae00c197e4b6022cf1f694caca23114209cf87666530ac32d29a0efb

SHA512
8cc1df68e69cb2e64cfab5dc7e0b197cb1259dbf9f9ad7cfe94e3889d30a858bbd551d60c06f8f3cde5169d4df9073768ff723ca5949a316c6017fb8a538cf71

Download Submit
memory/380-2105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/460-1973-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/460-2164-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-2713-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-2690-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/632-2005-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/740-1327-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/744-3823-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/824-753-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/824-1975-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/884-1231-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/920-2093-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-1590-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1188-4629-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1292-3661-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1296-895-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1296-1984-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1308-2204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-1767-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1328-3408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1400-2303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-4174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-1982-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1876-4195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-1471-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2036-2277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-4941-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-2844-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-2848-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-2376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-2381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-4932-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-1395-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2872-2182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2904-5238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-2556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-2723-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-1983-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-1985-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3056-1995-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-4411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-4545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-4857-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3152-1528-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3164-3602-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-1966-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3288-2653-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3336-3017-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-2540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-2369-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3388-1155-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3440-2924-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-42-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3568-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3568-49-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3568-0-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3612-5410-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3612-5407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-1472-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3712-1104-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3788-2009-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-2006-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-4866-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3852-1032-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3888-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3888-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3888-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-3935-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4124-4913-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4256-2740-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4256-2907-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-2192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-2566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-2568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-2855-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-1994-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4476-2471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-2468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-5302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-5468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4592-5399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-3816-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-655-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-104-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4632-1894-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4632-99-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4700-1643-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4716-5143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-5283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-2579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-1695-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4804-3389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-2865-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-2869-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-1996-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4876-966-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4928-2757-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-2761-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4944-1033-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5060-1967-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5068-5155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download