pony | 96191c290ea1d1ba50e64cb0915ee522a978d73c064e8b4284f97e401a7dcb35

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
Size

2.2MB
MD5

fa16272663aa110df125077dae1031d1
SHA1

a25ce980089925f0db96fb78fd4bdc275f506ea8
SHA256

96191c290ea1d1ba50e64cb0915ee522a978d73c064e8b4284f97e401a7dcb35
SHA512

e1d0cc7fbcbcb9cbb0ce8b45a943ff1e3e26af15aede4250bcdb951b4a2edf5f7b9b23d505373838a21549d47c50216f2d3924dd0afa01575f9a0ebc9000e300
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWww5

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
4232	explorer.exe
2592	explorer.exe
3312	spoolsv.exe
5052	spoolsv.exe
3472	spoolsv.exe
3936	spoolsv.exe
4428	spoolsv.exe
3020	spoolsv.exe
2764	spoolsv.exe
3144	spoolsv.exe
1728	spoolsv.exe
1124	spoolsv.exe
3488	spoolsv.exe
3256	spoolsv.exe
1928	spoolsv.exe
5056	spoolsv.exe
3084	spoolsv.exe
516	spoolsv.exe
396	spoolsv.exe
4380	spoolsv.exe
2124	spoolsv.exe
1264	spoolsv.exe
4396	spoolsv.exe
2072	spoolsv.exe
3136	spoolsv.exe
4964	spoolsv.exe
3092	spoolsv.exe
1256	spoolsv.exe
2540	spoolsv.exe
4288	spoolsv.exe
2948	spoolsv.exe
2144	spoolsv.exe
5040	spoolsv.exe
3228	explorer.exe
3920	spoolsv.exe
4048	spoolsv.exe
4016	spoolsv.exe
5112	spoolsv.exe
2420	spoolsv.exe
4832	spoolsv.exe
1020	explorer.exe
5076	spoolsv.exe
2284	spoolsv.exe
1192	spoolsv.exe
1428	spoolsv.exe
1396	spoolsv.exe
4172	spoolsv.exe
2416	spoolsv.exe
2304	explorer.exe
3308	spoolsv.exe
1016	spoolsv.exe
4564	spoolsv.exe
812	spoolsv.exe
5024	spoolsv.exe
3820	spoolsv.exe
2896	explorer.exe
4520	spoolsv.exe
4772	spoolsv.exe
696	spoolsv.exe
1980	spoolsv.exe
4040	spoolsv.exe
3520	explorer.exe
1416	spoolsv.exe
4244	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 49 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1260	1500	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	91
PID 4232 set thread context of 2592	4232	explorer.exe	95
PID 3312 set thread context of 5040	3312	spoolsv.exe	126
PID 5052 set thread context of 3920	5052	spoolsv.exe	128
PID 3472 set thread context of 4048	3472	spoolsv.exe	129
PID 3936 set thread context of 4016	3936	spoolsv.exe	130
PID 4428 set thread context of 2420	4428	spoolsv.exe	132
PID 3020 set thread context of 4832	3020	spoolsv.exe	133
PID 2764 set thread context of 5076	2764	spoolsv.exe	135
PID 3144 set thread context of 2284	3144	spoolsv.exe	136
PID 1728 set thread context of 1192	1728	spoolsv.exe	137
PID 1124 set thread context of 1428	1124	spoolsv.exe	138
PID 3488 set thread context of 4172	3488	spoolsv.exe	140
PID 3256 set thread context of 2416	3256	spoolsv.exe	141
PID 1928 set thread context of 3308	1928	spoolsv.exe	143
PID 5056 set thread context of 1016	5056	spoolsv.exe	144
PID 3084 set thread context of 4564	3084	spoolsv.exe	145
PID 516 set thread context of 5024	516	spoolsv.exe	147
PID 396 set thread context of 3820	396	spoolsv.exe	148
PID 4380 set thread context of 4520	4380	spoolsv.exe	150
PID 2124 set thread context of 4772	2124	spoolsv.exe	151
PID 1264 set thread context of 1980	1264	spoolsv.exe	153
PID 4396 set thread context of 4040	4396	spoolsv.exe	154
PID 2072 set thread context of 1416	2072	spoolsv.exe	156
PID 3136 set thread context of 4244	3136	spoolsv.exe	157
PID 4964 set thread context of 816	4964	spoolsv.exe	158
PID 3092 set thread context of 4280	3092	spoolsv.exe	159
PID 1256 set thread context of 3728	1256	spoolsv.exe	161
PID 2540 set thread context of 3912	2540	spoolsv.exe	163
PID 4288 set thread context of 3048	4288	spoolsv.exe	164
PID 2948 set thread context of 3452	2948	spoolsv.exe	166
PID 2144 set thread context of 868	2144	spoolsv.exe	171
PID 3228 set thread context of 4304	3228	explorer.exe	173
PID 5112 set thread context of 4604	5112	spoolsv.exe	178
PID 1020 set thread context of 4900	1020	explorer.exe	180
PID 1396 set thread context of 4580	1396	spoolsv.exe	185
PID 2304 set thread context of 4672	2304	explorer.exe	187
PID 812 set thread context of 4968	812	spoolsv.exe	191
PID 2896 set thread context of 4852	2896	explorer.exe	193
PID 696 set thread context of 4824	696	spoolsv.exe	197
PID 3520 set thread context of 3748	3520	explorer.exe	199
PID 4568 set thread context of 3876	4568	spoolsv.exe	203
PID 3968 set thread context of 3708	3968	explorer.exe	205
PID 3664 set thread context of 4896	3664	spoolsv.exe	206
PID 4884 set thread context of 4756	4884	spoolsv.exe	207
PID 2248 set thread context of 2036	2248	spoolsv.exe	208
PID 2932 set thread context of 4804	2932	spoolsv.exe	210
PID 2680 set thread context of 3004	2680	spoolsv.exe	213
PID 4696 set thread context of 1736	4696	explorer.exe	215

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1260	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
1260	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2592	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1260	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
1260	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
5040	spoolsv.exe
5040	spoolsv.exe
3920	spoolsv.exe
3920	spoolsv.exe
4048	spoolsv.exe
4048	spoolsv.exe
4016	spoolsv.exe
4016	spoolsv.exe
2420	spoolsv.exe
2420	spoolsv.exe
4832	spoolsv.exe
4832	spoolsv.exe
5076	spoolsv.exe
5076	spoolsv.exe
2284	spoolsv.exe
2284	spoolsv.exe
1192	spoolsv.exe
1192	spoolsv.exe
1428	spoolsv.exe
1428	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
2416	spoolsv.exe
2416	spoolsv.exe
3308	spoolsv.exe
3308	spoolsv.exe
1016	spoolsv.exe
1016	spoolsv.exe
4564	spoolsv.exe
4564	spoolsv.exe
5024	spoolsv.exe
5024	spoolsv.exe
3820	spoolsv.exe
3820	spoolsv.exe
4520	spoolsv.exe
4520	spoolsv.exe
4772	spoolsv.exe
4772	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
1416	spoolsv.exe
1416	spoolsv.exe
4244	spoolsv.exe
4244	spoolsv.exe
816	spoolsv.exe
816	spoolsv.exe
4280	spoolsv.exe
4280	spoolsv.exe
3728	spoolsv.exe
3728	spoolsv.exe
3912	spoolsv.exe
3912	spoolsv.exe
3048	spoolsv.exe
3048	spoolsv.exe
3452	spoolsv.exe
3452	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 4836	1500	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	82
PID 1500 wrote to memory of 4836	1500	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	82
PID 1500 wrote to memory of 1260	1500	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	91
PID 1500 wrote to memory of 1260	1500	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	91
PID 1500 wrote to memory of 1260	1500	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	91
PID 1500 wrote to memory of 1260	1500	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	91
PID 1500 wrote to memory of 1260	1500	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	91
PID 1260 wrote to memory of 4232	1260	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	92
PID 1260 wrote to memory of 4232	1260	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	92
PID 1260 wrote to memory of 4232	1260	fa16272663aa110df125077dae1031d1_JaffaCakes118.exe	92
PID 4232 wrote to memory of 2592	4232	explorer.exe	95
PID 4232 wrote to memory of 2592	4232	explorer.exe	95
PID 4232 wrote to memory of 2592	4232	explorer.exe	95
PID 4232 wrote to memory of 2592	4232	explorer.exe	95
PID 4232 wrote to memory of 2592	4232	explorer.exe	95
PID 2592 wrote to memory of 3312	2592	explorer.exe	96
PID 2592 wrote to memory of 3312	2592	explorer.exe	96
PID 2592 wrote to memory of 3312	2592	explorer.exe	96
PID 2592 wrote to memory of 5052	2592	explorer.exe	97
PID 2592 wrote to memory of 5052	2592	explorer.exe	97
PID 2592 wrote to memory of 5052	2592	explorer.exe	97
PID 2592 wrote to memory of 3472	2592	explorer.exe	98
PID 2592 wrote to memory of 3472	2592	explorer.exe	98
PID 2592 wrote to memory of 3472	2592	explorer.exe	98
PID 2592 wrote to memory of 3936	2592	explorer.exe	99
PID 2592 wrote to memory of 3936	2592	explorer.exe	99
PID 2592 wrote to memory of 3936	2592	explorer.exe	99
PID 2592 wrote to memory of 4428	2592	explorer.exe	100
PID 2592 wrote to memory of 4428	2592	explorer.exe	100
PID 2592 wrote to memory of 4428	2592	explorer.exe	100
PID 2592 wrote to memory of 3020	2592	explorer.exe	101
PID 2592 wrote to memory of 3020	2592	explorer.exe	101
PID 2592 wrote to memory of 3020	2592	explorer.exe	101
PID 2592 wrote to memory of 2764	2592	explorer.exe	102
PID 2592 wrote to memory of 2764	2592	explorer.exe	102
PID 2592 wrote to memory of 2764	2592	explorer.exe	102
PID 2592 wrote to memory of 3144	2592	explorer.exe	103
PID 2592 wrote to memory of 3144	2592	explorer.exe	103
PID 2592 wrote to memory of 3144	2592	explorer.exe	103
PID 2592 wrote to memory of 1728	2592	explorer.exe	104
PID 2592 wrote to memory of 1728	2592	explorer.exe	104
PID 2592 wrote to memory of 1728	2592	explorer.exe	104
PID 2592 wrote to memory of 1124	2592	explorer.exe	105
PID 2592 wrote to memory of 1124	2592	explorer.exe	105
PID 2592 wrote to memory of 1124	2592	explorer.exe	105
PID 2592 wrote to memory of 3488	2592	explorer.exe	106
PID 2592 wrote to memory of 3488	2592	explorer.exe	106
PID 2592 wrote to memory of 3488	2592	explorer.exe	106
PID 2592 wrote to memory of 3256	2592	explorer.exe	107
PID 2592 wrote to memory of 3256	2592	explorer.exe	107
PID 2592 wrote to memory of 3256	2592	explorer.exe	107
PID 2592 wrote to memory of 1928	2592	explorer.exe	108
PID 2592 wrote to memory of 1928	2592	explorer.exe	108
PID 2592 wrote to memory of 1928	2592	explorer.exe	108
PID 2592 wrote to memory of 5056	2592	explorer.exe	109
PID 2592 wrote to memory of 5056	2592	explorer.exe	109
PID 2592 wrote to memory of 5056	2592	explorer.exe	109
PID 2592 wrote to memory of 3084	2592	explorer.exe	110
PID 2592 wrote to memory of 3084	2592	explorer.exe	110
PID 2592 wrote to memory of 3084	2592	explorer.exe	110
PID 2592 wrote to memory of 516	2592	explorer.exe	111
PID 2592 wrote to memory of 516	2592	explorer.exe	111
PID 2592 wrote to memory of 516	2592	explorer.exe	111
PID 2592 wrote to memory of 396	2592	explorer.exe	112

C:\Users\Admin\AppData\Local\Temp\fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa16272663aa110df125077dae1031d1_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\fa16272663aa110df125077dae1031d1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fa16272663aa110df125077dae1031d1_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1260
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3312
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5040
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3228
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5052
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3936
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3020
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4832
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2764
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1728
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1124
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3488
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3256
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:516
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3820
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2896
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4380
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2124
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1264
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2072
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3136
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4964
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3092
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1256
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3728
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4288
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:868
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5112
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:812
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4968
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4824
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4568
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3664
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4884
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2248
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2932
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4804
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2680
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3004
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1908
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3288
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4716
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3220
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1644
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4876
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
c4909ed305cf556bab91a823aaf2090b

SHA1
d8a977e54cc21a9430c0ef3dba548104bb373ce8

SHA256
03e39cf2a038b757e01c206df766d7285b342ca5d7f5684f4766e2801169965f

SHA512
9a5b139c394bea3d52648b86c8bc078b867a03f38b2f207443b101e6a2a5dd8d52e0ee23abcb53325486d821874aefa15958d41a4ee99a0fe41cd40517592259

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
d718e0d958685402f9382e728b638eea

SHA1
73d945cc5b3a320d79217ffe020519a5157194b3

SHA256
a7defb61c9f8e3fd474994a8c808f113a72d94010a73ecbf7fcbf0f8682a35de

SHA512
06ddba57b08feac9dc1b51f2271db3dc1ce418cf65f59f2c7a857c9d8fb1ea29492fe1818f6679e7f4e452cbf323bdefa1f540429fab81e623c3bd71dffefe91

Download Submit
memory/396-1864-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/516-1782-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/816-2767-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-3387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-3461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-2417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-1410-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1192-2199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-72-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/1260-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1264-1988-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1416-2746-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-2211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1500-0-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1500-48-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1500-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1500-42-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1728-1338-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1736-4964-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-1590-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1980-2682-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-2678-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-2007-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2124-1937-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2284-2188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-2191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-2398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-2583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-2069-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-4006-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-716-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-1187-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3004-4955-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-5070-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-1186-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3048-2951-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-2955-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3084-1709-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3144-1232-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3220-5222-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-1538-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3308-2408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-766-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3312-1979-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3452-3050-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-958-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3472-2002-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3488-1467-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3708-4722-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-2931-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3748-4481-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3820-2720-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3820-2600-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-4711-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-2942-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3920-1989-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-1029-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3936-2008-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4016-2016-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-2737-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-2916-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-2004-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-1999-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4172-2304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-85-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4232-91-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4244-2757-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4244-2761-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4280-2839-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-3399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-1936-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4396-1994-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4428-1085-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4564-2430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-2426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-4000-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4604-3772-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4604-3640-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4672-4013-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4756-4741-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-2618-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-2621-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4804-4935-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4824-4470-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-2363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-2168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4852-4288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-5239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-4731-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-3665-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-4984-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-4330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-4252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-2518-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-2140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-1978-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-1991-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5052-887-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5056-1652-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5076-2178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download