pony | 2248a530751edb329b978bbe00185bf755416c3e323b4069f4bf4cd46f1a3745

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
Size

2.2MB
MD5

eabda5d34b7a347f653595fef894e426
SHA1

e34b9eff272196df6784673a4a3493aacc8d319f
SHA256

2248a530751edb329b978bbe00185bf755416c3e323b4069f4bf4cd46f1a3745
SHA512

e0f117c2b4a3c1753c2d370f6299cd6afd216fbd9b16c5ea4d239d56a3677c33ae64b14dddec0b0634e7a73f61f3fe7d820afdbc03a9ce507880fced38d4eed9
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZH:0UzeyQMS4DqodCnoe+iitjWwwD

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1684	explorer.exe
2296	explorer.exe
1812	spoolsv.exe
4876	spoolsv.exe
3068	spoolsv.exe
2872	spoolsv.exe
1652	spoolsv.exe
2564	spoolsv.exe
4372	spoolsv.exe
2828	spoolsv.exe
4816	spoolsv.exe
2740	spoolsv.exe
4600	spoolsv.exe
2072	spoolsv.exe
4740	spoolsv.exe
3564	spoolsv.exe
4728	spoolsv.exe
940	spoolsv.exe
4928	spoolsv.exe
3408	spoolsv.exe
1220	spoolsv.exe
4800	spoolsv.exe
4448	spoolsv.exe
3640	spoolsv.exe
3928	spoolsv.exe
4360	spoolsv.exe
1956	spoolsv.exe
4352	spoolsv.exe
2028	spoolsv.exe
1496	spoolsv.exe
664	spoolsv.exe
4428	spoolsv.exe
3724	spoolsv.exe
2444	explorer.exe
4676	spoolsv.exe
1656	spoolsv.exe
932	spoolsv.exe
3604	spoolsv.exe
2968	spoolsv.exe
4872	explorer.exe
3924	spoolsv.exe
4388	spoolsv.exe
4020	spoolsv.exe
3660	spoolsv.exe
1380	spoolsv.exe
4744	explorer.exe
5000	spoolsv.exe
1492	spoolsv.exe
708	spoolsv.exe
4844	spoolsv.exe
804	spoolsv.exe
3660	explorer.exe
2528	spoolsv.exe
3828	spoolsv.exe
832	spoolsv.exe
5056	spoolsv.exe
3612	spoolsv.exe
4664	spoolsv.exe
2688	spoolsv.exe
4388	explorer.exe
1816	spoolsv.exe
1524	spoolsv.exe
4460	spoolsv.exe
1780	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 51 IoCs

description	pid	Process	procid_target
PID 3848 set thread context of 4612	3848	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	91
PID 1684 set thread context of 2296	1684	explorer.exe	95
PID 1812 set thread context of 3724	1812	spoolsv.exe	126
PID 4876 set thread context of 4676	4876	spoolsv.exe	128
PID 3068 set thread context of 1656	3068	spoolsv.exe	129
PID 2872 set thread context of 932	2872	spoolsv.exe	130
PID 1652 set thread context of 2968	1652	spoolsv.exe	132
PID 2564 set thread context of 3924	2564	spoolsv.exe	134
PID 4372 set thread context of 4388	4372	spoolsv.exe	135
PID 2828 set thread context of 3660	2828	spoolsv.exe	145
PID 4816 set thread context of 1380	4816	spoolsv.exe	138
PID 2740 set thread context of 5000	2740	spoolsv.exe	140
PID 4600 set thread context of 1492	4600	spoolsv.exe	141
PID 2072 set thread context of 708	2072	spoolsv.exe	142
PID 4740 set thread context of 804	4740	spoolsv.exe	144
PID 3564 set thread context of 2528	3564	spoolsv.exe	146
PID 4728 set thread context of 3828	4728	spoolsv.exe	147
PID 940 set thread context of 832	940	spoolsv.exe	148
PID 4928 set thread context of 5056	4928	spoolsv.exe	149
PID 3408 set thread context of 4664	3408	spoolsv.exe	151
PID 1220 set thread context of 2688	1220	spoolsv.exe	152
PID 4800 set thread context of 1816	4800	spoolsv.exe	154
PID 4448 set thread context of 1524	4448	spoolsv.exe	155
PID 3640 set thread context of 4460	3640	spoolsv.exe	166
PID 3928 set thread context of 2424	3928	spoolsv.exe	158
PID 4360 set thread context of 2992	4360	spoolsv.exe	160
PID 1956 set thread context of 1724	1956	spoolsv.exe	161
PID 4352 set thread context of 4468	4352	spoolsv.exe	162
PID 2028 set thread context of 5048	2028	spoolsv.exe	163
PID 1496 set thread context of 5016	1496	spoolsv.exe	164
PID 664 set thread context of 4460	664	spoolsv.exe	166
PID 2444 set thread context of 3708	2444	explorer.exe	170
PID 4428 set thread context of 760	4428	spoolsv.exe	171
PID 3604 set thread context of 4016	3604	spoolsv.exe	175
PID 4872 set thread context of 2460	4872	explorer.exe	177
PID 4020 set thread context of 1684	4020	spoolsv.exe	180
PID 4744 set thread context of 1236	4744	explorer.exe	182
PID 4844 set thread context of 2440	4844	spoolsv.exe	186
PID 3660 set thread context of 2400	3660	explorer.exe	189
PID 3612 set thread context of 2060	3612	spoolsv.exe	192
PID 4388 set thread context of 4540	4388	explorer.exe	194
PID 1780 set thread context of 3484	1780	spoolsv.exe	199
PID 4748 set thread context of 3864	4748	spoolsv.exe	202
PID 512 set thread context of 548	512	explorer.exe	203
PID 4828 set thread context of 1508	4828	spoolsv.exe	205
PID 4328 set thread context of 4660	4328	spoolsv.exe	208
PID 4244 set thread context of 5084	4244	explorer.exe	210
PID 4172 set thread context of 5040	4172	spoolsv.exe	211
PID 4144 set thread context of 4532	4144	spoolsv.exe	213
PID 1308 set thread context of 3776	1308	explorer.exe	215
PID 3372 set thread context of 3376	3372	spoolsv.exe	217

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4612	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
4612	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2296	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4612	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
4612	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
3724	spoolsv.exe
3724	spoolsv.exe
4676	spoolsv.exe
4676	spoolsv.exe
1656	spoolsv.exe
1656	spoolsv.exe
932	spoolsv.exe
932	spoolsv.exe
2968	spoolsv.exe
2968	spoolsv.exe
3924	spoolsv.exe
3924	spoolsv.exe
4388	spoolsv.exe
4388	spoolsv.exe
3660	spoolsv.exe
3660	spoolsv.exe
1380	spoolsv.exe
1380	spoolsv.exe
5000	spoolsv.exe
5000	spoolsv.exe
1492	spoolsv.exe
1492	spoolsv.exe
708	spoolsv.exe
708	spoolsv.exe
804	spoolsv.exe
804	spoolsv.exe
2528	spoolsv.exe
2528	spoolsv.exe
3828	spoolsv.exe
3828	spoolsv.exe
832	spoolsv.exe
832	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
4664	spoolsv.exe
4664	spoolsv.exe
2688	spoolsv.exe
2688	spoolsv.exe
1816	spoolsv.exe
1816	spoolsv.exe
1524	spoolsv.exe
1524	spoolsv.exe
4460	spoolsv.exe
4460	spoolsv.exe
2424	spoolsv.exe
2424	spoolsv.exe
2992	spoolsv.exe
2992	spoolsv.exe
1724	spoolsv.exe
1724	spoolsv.exe
4468	spoolsv.exe
4468	spoolsv.exe
5048	spoolsv.exe
5048	spoolsv.exe
5016	spoolsv.exe
5016	spoolsv.exe
4460	spoolsv.exe
4460	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 1184	3848	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	82
PID 3848 wrote to memory of 1184	3848	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	82
PID 3848 wrote to memory of 4612	3848	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	91
PID 3848 wrote to memory of 4612	3848	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	91
PID 3848 wrote to memory of 4612	3848	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	91
PID 3848 wrote to memory of 4612	3848	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	91
PID 3848 wrote to memory of 4612	3848	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	91
PID 4612 wrote to memory of 1684	4612	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	92
PID 4612 wrote to memory of 1684	4612	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	92
PID 4612 wrote to memory of 1684	4612	eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe	92
PID 1684 wrote to memory of 2296	1684	explorer.exe	95
PID 1684 wrote to memory of 2296	1684	explorer.exe	95
PID 1684 wrote to memory of 2296	1684	explorer.exe	95
PID 1684 wrote to memory of 2296	1684	explorer.exe	95
PID 1684 wrote to memory of 2296	1684	explorer.exe	95
PID 2296 wrote to memory of 1812	2296	explorer.exe	96
PID 2296 wrote to memory of 1812	2296	explorer.exe	96
PID 2296 wrote to memory of 1812	2296	explorer.exe	96
PID 2296 wrote to memory of 4876	2296	explorer.exe	97
PID 2296 wrote to memory of 4876	2296	explorer.exe	97
PID 2296 wrote to memory of 4876	2296	explorer.exe	97
PID 2296 wrote to memory of 3068	2296	explorer.exe	98
PID 2296 wrote to memory of 3068	2296	explorer.exe	98
PID 2296 wrote to memory of 3068	2296	explorer.exe	98
PID 2296 wrote to memory of 2872	2296	explorer.exe	99
PID 2296 wrote to memory of 2872	2296	explorer.exe	99
PID 2296 wrote to memory of 2872	2296	explorer.exe	99
PID 2296 wrote to memory of 1652	2296	explorer.exe	100
PID 2296 wrote to memory of 1652	2296	explorer.exe	100
PID 2296 wrote to memory of 1652	2296	explorer.exe	100
PID 2296 wrote to memory of 2564	2296	explorer.exe	101
PID 2296 wrote to memory of 2564	2296	explorer.exe	101
PID 2296 wrote to memory of 2564	2296	explorer.exe	101
PID 2296 wrote to memory of 4372	2296	explorer.exe	102
PID 2296 wrote to memory of 4372	2296	explorer.exe	102
PID 2296 wrote to memory of 4372	2296	explorer.exe	102
PID 2296 wrote to memory of 2828	2296	explorer.exe	103
PID 2296 wrote to memory of 2828	2296	explorer.exe	103
PID 2296 wrote to memory of 2828	2296	explorer.exe	103
PID 2296 wrote to memory of 4816	2296	explorer.exe	104
PID 2296 wrote to memory of 4816	2296	explorer.exe	104
PID 2296 wrote to memory of 4816	2296	explorer.exe	104
PID 2296 wrote to memory of 2740	2296	explorer.exe	105
PID 2296 wrote to memory of 2740	2296	explorer.exe	105
PID 2296 wrote to memory of 2740	2296	explorer.exe	105
PID 2296 wrote to memory of 4600	2296	explorer.exe	106
PID 2296 wrote to memory of 4600	2296	explorer.exe	106
PID 2296 wrote to memory of 4600	2296	explorer.exe	106
PID 2296 wrote to memory of 2072	2296	explorer.exe	107
PID 2296 wrote to memory of 2072	2296	explorer.exe	107
PID 2296 wrote to memory of 2072	2296	explorer.exe	107
PID 2296 wrote to memory of 4740	2296	explorer.exe	108
PID 2296 wrote to memory of 4740	2296	explorer.exe	108
PID 2296 wrote to memory of 4740	2296	explorer.exe	108
PID 2296 wrote to memory of 3564	2296	explorer.exe	109
PID 2296 wrote to memory of 3564	2296	explorer.exe	109
PID 2296 wrote to memory of 3564	2296	explorer.exe	109
PID 2296 wrote to memory of 4728	2296	explorer.exe	110
PID 2296 wrote to memory of 4728	2296	explorer.exe	110
PID 2296 wrote to memory of 4728	2296	explorer.exe	110
PID 2296 wrote to memory of 940	2296	explorer.exe	111
PID 2296 wrote to memory of 940	2296	explorer.exe	111
PID 2296 wrote to memory of 940	2296	explorer.exe	111
PID 2296 wrote to memory of 4928	2296	explorer.exe	112

C:\Users\Admin\AppData\Local\Temp\eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eabda5d34b7a347f653595fef894e426_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4612
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1812
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2444
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3068
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2872
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1652
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2564
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4372
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4816
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2072
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3564
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4728
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:940
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3408
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1220
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4388
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4800
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3640
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4436
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1956
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4352
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2028
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1496
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:664
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4460
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:512
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3604
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1308
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4020
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4844
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2440
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3612
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2060
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1780
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3484
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4328
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4532
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3372
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
71c8f63a5af52f8c850a5dac975e1dcb

SHA1
9ed09efc95f79fd805a6b9581cc2b4fe8a6ddda3

SHA256
e1d0c958354799a8cc3eaf36915e74cf0b4a25532e16e1b48b67911bd28b6aa8

SHA512
222e79d70b10b8eef72f9f0d16b442b1d3a3c236e18a9f9c2dd2eff0aa209fef0140e807938313f0d2688fd3e45f47570a35766f85e1cd57ca957bd83b0b7be6

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
d1e82dea0e714f537212670553ed0ded

SHA1
76048ea94c98cf9c5ca615cdf47fe4d6e712bae1

SHA256
d3284af165c89aaab57770a072c09b753db360a73e40874110fd75930ced4d95

SHA512
01eb6a902045ce0738a0b29ce25c6730513fb172cc5d0d15d5cdb5c461c059d1c742367c523a316c093ee7231fba90469ffbda081bb364db65ef4a0d740d7d3d

Download Submit
memory/548-4413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/708-2259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-3170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/804-2356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/804-2560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/832-2384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/932-1942-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/940-1686-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1220-1882-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1236-3473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-2338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-2218-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-2240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-2237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1508-4435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1508-4430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1524-2612-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-4326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-1034-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1656-1930-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-3462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-70-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1684-64-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1724-2781-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1812-706-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1812-1909-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1816-2603-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-2601-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-4104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-3975-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-1443-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2296-3689-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2296-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2296-649-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-3786-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2424-2856-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2424-2760-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-3829-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-3701-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-3243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-1115-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2688-2727-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-2591-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-1320-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2828-1257-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2872-968-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2968-2055-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-2770-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-2774-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-917-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3068-1933-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3376-4875-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-4878-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3408-1881-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3484-4317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-1567-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3640-1924-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3660-2151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-3044-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3724-1977-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3776-4792-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-2372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-2375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3848-28-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3848-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3848-22-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3848-0-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3864-4336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-2074-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-3381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-1186-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4388-2087-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-1916-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4460-2960-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-2622-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-2793-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-2789-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-4781-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-4927-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-3986-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-1377-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4612-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-52-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4660-4764-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4660-4618-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4664-2497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4664-2493-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4676-1918-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4728-1639-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4740-1495-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4800-1904-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4816-1258-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4876-851-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4876-1920-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4928-1803-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5000-2227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5016-2842-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5016-2824-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-4638-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-2474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-4630-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download