pony | 79ab452039204c815215c9cdd73f28b0db81a82bd4d6098ad177126ea09b2921

Analysis

max time kernel
131s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
Size

2.2MB
MD5

e69a344708a5adf954f5304767184ac3
SHA1

f902f62eed5ba14d1f9d3513979669cdade71b9e
SHA256

79ab452039204c815215c9cdd73f28b0db81a82bd4d6098ad177126ea09b2921
SHA512

7465135013c2d376dac60b40477180ca1364580fda82515d3c3d9a6803e294803a6c2ec65cc3542bdfa6c1204fd27e8fe28b2eded4d335a35728a932c89cfc86
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZO:0UzeyQMS4DqodCnoe+iitjWwwC

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
636	explorer.exe
1352	explorer.exe
4344	spoolsv.exe
3092	spoolsv.exe
1216	spoolsv.exe
3220	spoolsv.exe
3768	spoolsv.exe
4132	spoolsv.exe
4916	spoolsv.exe
1648	spoolsv.exe
4320	spoolsv.exe
3444	spoolsv.exe
512	spoolsv.exe
5032	spoolsv.exe
1748	spoolsv.exe
3412	spoolsv.exe
3556	spoolsv.exe
3868	spoolsv.exe
2720	spoolsv.exe
4924	spoolsv.exe
3312	spoolsv.exe
2192	spoolsv.exe
4104	spoolsv.exe
3784	spoolsv.exe
4328	spoolsv.exe
4204	spoolsv.exe
4888	spoolsv.exe
4488	spoolsv.exe
436	spoolsv.exe
3812	spoolsv.exe
4016	spoolsv.exe
2420	spoolsv.exe
2320	spoolsv.exe
952	explorer.exe
1676	spoolsv.exe
4548	spoolsv.exe
3736	spoolsv.exe
4440	spoolsv.exe
1664	explorer.exe
3436	spoolsv.exe
1452	spoolsv.exe
876	spoolsv.exe
1496	spoolsv.exe
3712	explorer.exe
1064	spoolsv.exe
4300	spoolsv.exe
2548	spoolsv.exe
1964	spoolsv.exe
3224	spoolsv.exe
5004	spoolsv.exe
1988	spoolsv.exe
4040	spoolsv.exe
1692	explorer.exe
4928	spoolsv.exe
4792	spoolsv.exe
412	spoolsv.exe
4276	explorer.exe
5000	spoolsv.exe
2908	spoolsv.exe
1912	spoolsv.exe
4904	spoolsv.exe
1156	explorer.exe
4840	spoolsv.exe
2064	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 46 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 3180	2128	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	88
PID 636 set thread context of 1352	636	explorer.exe	93
PID 4344 set thread context of 2320	4344	spoolsv.exe	125
PID 3092 set thread context of 1676	3092	spoolsv.exe	127
PID 1216 set thread context of 4548	1216	spoolsv.exe	128
PID 3220 set thread context of 4440	3220	spoolsv.exe	130
PID 3768 set thread context of 3436	3768	spoolsv.exe	132
PID 4132 set thread context of 1452	4132	spoolsv.exe	133
PID 4916 set thread context of 1496	4916	spoolsv.exe	135
PID 1648 set thread context of 1064	1648	spoolsv.exe	137
PID 4320 set thread context of 4300	4320	spoolsv.exe	138
PID 3444 set thread context of 2548	3444	spoolsv.exe	139
PID 512 set thread context of 1964	512	spoolsv.exe	140
PID 5032 set thread context of 3224	5032	spoolsv.exe	141
PID 1748 set thread context of 5004	1748	spoolsv.exe	142
PID 3412 set thread context of 4040	3412	spoolsv.exe	144
PID 3556 set thread context of 4928	3556	spoolsv.exe	146
PID 3868 set thread context of 412	3868	spoolsv.exe	148
PID 2720 set thread context of 2908	2720	spoolsv.exe	151
PID 4924 set thread context of 1912	4924	spoolsv.exe	152
PID 3312 set thread context of 4904	3312	spoolsv.exe	153
PID 2192 set thread context of 2064	2192	spoolsv.exe	156
PID 4104 set thread context of 3916	4104	spoolsv.exe	157
PID 3784 set thread context of 4968	3784	spoolsv.exe	160
PID 4328 set thread context of 1448	4328	spoolsv.exe	161
PID 4204 set thread context of 3252	4204	spoolsv.exe	163
PID 4888 set thread context of 2888	4888	spoolsv.exe	166
PID 4488 set thread context of 2040	4488	spoolsv.exe	167
PID 436 set thread context of 688	436	spoolsv.exe	169
PID 3812 set thread context of 4540	3812	spoolsv.exe	179
PID 4016 set thread context of 3256	4016	spoolsv.exe	173
PID 2420 set thread context of 4540	2420	spoolsv.exe	179
PID 952 set thread context of 3672	952	explorer.exe	180
PID 1664 set thread context of 3908	1664	explorer.exe	183
PID 3736 set thread context of 2656	3736	spoolsv.exe	185
PID 876 set thread context of 4136	876	spoolsv.exe	189
PID 3712 set thread context of 3504	3712	explorer.exe	191
PID 1988 set thread context of 1968	1988	spoolsv.exe	193
PID 1692 set thread context of 4824	1692	explorer.exe	194
PID 4792 set thread context of 4332	4792	spoolsv.exe	196
PID 4276 set thread context of 3420	4276	explorer.exe	199
PID 5000 set thread context of 2944	5000	spoolsv.exe	200
PID 1156 set thread context of 1740	1156	explorer.exe	203
PID 4840 set thread context of 316	4840	spoolsv.exe	204
PID 5092 set thread context of 760	5092	explorer.exe	207
PID 4768 set thread context of 1424	4768	spoolsv.exe	208

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3180	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
3180	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1352	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3180	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
3180	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
1352	explorer.exe
2320	spoolsv.exe
2320	spoolsv.exe
1676	spoolsv.exe
1676	spoolsv.exe
4548	spoolsv.exe
4548	spoolsv.exe
4440	spoolsv.exe
4440	spoolsv.exe
3436	spoolsv.exe
3436	spoolsv.exe
1452	spoolsv.exe
1452	spoolsv.exe
1496	spoolsv.exe
1496	spoolsv.exe
1064	spoolsv.exe
1064	spoolsv.exe
4300	spoolsv.exe
4300	spoolsv.exe
2548	spoolsv.exe
2548	spoolsv.exe
1964	spoolsv.exe
1964	spoolsv.exe
3224	spoolsv.exe
3224	spoolsv.exe
5004	spoolsv.exe
5004	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4928	spoolsv.exe
4928	spoolsv.exe
412	spoolsv.exe
412	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
1912	spoolsv.exe
1912	spoolsv.exe
4904	spoolsv.exe
4904	spoolsv.exe
2064	spoolsv.exe
2064	spoolsv.exe
3916	spoolsv.exe
3916	spoolsv.exe
4968	spoolsv.exe
4968	spoolsv.exe
1448	spoolsv.exe
1448	spoolsv.exe
3252	spoolsv.exe
3252	spoolsv.exe
2888	spoolsv.exe
2888	spoolsv.exe
2040	spoolsv.exe
2040	spoolsv.exe
688	spoolsv.exe
688	spoolsv.exe
4540	spoolsv.exe
4540	spoolsv.exe
3256	spoolsv.exe
3256	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2352	2128	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	84
PID 2128 wrote to memory of 2352	2128	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	84
PID 2128 wrote to memory of 3180	2128	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	88
PID 2128 wrote to memory of 3180	2128	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	88
PID 2128 wrote to memory of 3180	2128	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	88
PID 2128 wrote to memory of 3180	2128	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	88
PID 2128 wrote to memory of 3180	2128	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	88
PID 3180 wrote to memory of 636	3180	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	89
PID 3180 wrote to memory of 636	3180	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	89
PID 3180 wrote to memory of 636	3180	e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe	89
PID 636 wrote to memory of 1352	636	explorer.exe	93
PID 636 wrote to memory of 1352	636	explorer.exe	93
PID 636 wrote to memory of 1352	636	explorer.exe	93
PID 636 wrote to memory of 1352	636	explorer.exe	93
PID 636 wrote to memory of 1352	636	explorer.exe	93
PID 1352 wrote to memory of 4344	1352	explorer.exe	94
PID 1352 wrote to memory of 4344	1352	explorer.exe	94
PID 1352 wrote to memory of 4344	1352	explorer.exe	94
PID 1352 wrote to memory of 3092	1352	explorer.exe	95
PID 1352 wrote to memory of 3092	1352	explorer.exe	95
PID 1352 wrote to memory of 3092	1352	explorer.exe	95
PID 1352 wrote to memory of 1216	1352	explorer.exe	96
PID 1352 wrote to memory of 1216	1352	explorer.exe	96
PID 1352 wrote to memory of 1216	1352	explorer.exe	96
PID 1352 wrote to memory of 3220	1352	explorer.exe	97
PID 1352 wrote to memory of 3220	1352	explorer.exe	97
PID 1352 wrote to memory of 3220	1352	explorer.exe	97
PID 1352 wrote to memory of 3768	1352	explorer.exe	98
PID 1352 wrote to memory of 3768	1352	explorer.exe	98
PID 1352 wrote to memory of 3768	1352	explorer.exe	98
PID 1352 wrote to memory of 4132	1352	explorer.exe	99
PID 1352 wrote to memory of 4132	1352	explorer.exe	99
PID 1352 wrote to memory of 4132	1352	explorer.exe	99
PID 1352 wrote to memory of 4916	1352	explorer.exe	100
PID 1352 wrote to memory of 4916	1352	explorer.exe	100
PID 1352 wrote to memory of 4916	1352	explorer.exe	100
PID 1352 wrote to memory of 1648	1352	explorer.exe	102
PID 1352 wrote to memory of 1648	1352	explorer.exe	102
PID 1352 wrote to memory of 1648	1352	explorer.exe	102
PID 1352 wrote to memory of 4320	1352	explorer.exe	103
PID 1352 wrote to memory of 4320	1352	explorer.exe	103
PID 1352 wrote to memory of 4320	1352	explorer.exe	103
PID 1352 wrote to memory of 3444	1352	explorer.exe	104
PID 1352 wrote to memory of 3444	1352	explorer.exe	104
PID 1352 wrote to memory of 3444	1352	explorer.exe	104
PID 1352 wrote to memory of 512	1352	explorer.exe	105
PID 1352 wrote to memory of 512	1352	explorer.exe	105
PID 1352 wrote to memory of 512	1352	explorer.exe	105
PID 1352 wrote to memory of 5032	1352	explorer.exe	106
PID 1352 wrote to memory of 5032	1352	explorer.exe	106
PID 1352 wrote to memory of 5032	1352	explorer.exe	106
PID 1352 wrote to memory of 1748	1352	explorer.exe	107
PID 1352 wrote to memory of 1748	1352	explorer.exe	107
PID 1352 wrote to memory of 1748	1352	explorer.exe	107
PID 1352 wrote to memory of 3412	1352	explorer.exe	108
PID 1352 wrote to memory of 3412	1352	explorer.exe	108
PID 1352 wrote to memory of 3412	1352	explorer.exe	108
PID 1352 wrote to memory of 3556	1352	explorer.exe	109
PID 1352 wrote to memory of 3556	1352	explorer.exe	109
PID 1352 wrote to memory of 3556	1352	explorer.exe	109
PID 1352 wrote to memory of 3868	1352	explorer.exe	110
PID 1352 wrote to memory of 3868	1352	explorer.exe	110
PID 1352 wrote to memory of 3868	1352	explorer.exe	110
PID 1352 wrote to memory of 2720	1352	explorer.exe	111

C:\Users\Admin\AppData\Local\Temp\e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e69a344708a5adf954f5304767184ac3_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3180
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:636
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4344
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:952
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3092
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1216
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3220
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3768
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4132
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4916
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1648
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4320
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3444
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:512
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3412
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3868
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:412
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2720
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4924
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3312
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2192
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4104
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3784
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4328
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4204
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4888
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4488
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:436
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3812
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3256
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2420
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4540
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3736
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3952
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4676
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1988
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4792
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5000
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4768
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1424
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3328
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4340
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:456
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1108
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:220
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2184
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5036
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2620
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1836
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2220
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2912
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4948
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
ec5f0ece916e19d26268f1629d2cc720

SHA1
5cf748f391b8011e384f0c1dc6455b09a5d8c1fd

SHA256
9f1fe334a6a1e2bff4690ae7dc154875f2caab9ef5f47d4983b52a3bd9fb1510

SHA512
ccd4b8162bd56f0e5db145d62af5eb3bd0e2374a5c377f5c6da25498787bac6136fb142b998ad48ebc3d4d2e3665bce2382691d0cc2e15170b574a57aa4d8907

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
b1663f99deea60680c34196077f15483

SHA1
eb6ec626f28614a3442f41d24ad63c0fd15f4ef5

SHA256
ee23f27e61a95dd3437fb93a2f5d5587229b8b0b323cb07911c0825445fa0ee4

SHA512
aade4389c5413bdfca91d4cfab45067d18464084e44bc2e3fc7b233cc4ca89112e6b802ba0f0a472db26f1590dbf67e6cb38bc9ecccd1be121b01c26a1804029

Download Submit
memory/316-4616-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/316-4778-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-2745-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-2571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/512-1331-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/636-91-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/636-96-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/688-3455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-3330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-4780-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-1947-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1216-988-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1260-5777-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-793-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-4194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-5013-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-4904-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-3010-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-2085-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-2238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-2386-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-5056-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-1248-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1676-1936-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-4554-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-1470-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1912-2678-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-2673-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-2274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-3175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-42-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2128-0-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2128-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2128-51-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2192-1927-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2220-5755-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-2042-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-5022-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-5303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-4999-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2620-5568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-3923-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-1764-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2888-3161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-3165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-2667-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-4607-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-1932-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3092-922-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3180-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-83-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3180-85-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-1029-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3224-2285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3252-3153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3252-3294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-3579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-5314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-1920-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3412-1547-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3420-4452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3436-2075-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3444-1330-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3556-1594-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3672-3719-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-5131-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-1030-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3784-2059-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3868-1646-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3908-3927-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3916-3056-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-2547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-2412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-1942-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4132-1091-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4136-4116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4220-5041-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-2255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4320-1254-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4340-4989-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-5197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4344-1924-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4344-848-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4440-2064-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-2199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4512-5200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-3708-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-3847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-3352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-3348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-1949-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4824-4206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-2773-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-2894-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4916-1152-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4924-1841-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4928-2445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-2999-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-2298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-2294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-1398-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5036-5295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download