pony | 2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c

Analysis

max time kernel
141s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
Size

2.2MB
MD5

5a289cab0f8ff4d053f4b2a5eb57332f
SHA1

0fccaa23116d2bc6fd36720ca7131db9dc13ecf8
SHA256

2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c
SHA512

23c2b191a588784c304fc4d7bdc245f6474fdcc7402eb52883a66caf844b671c831897a056e579a983cbfcdc94bcbec4b122bd6e7b028147db0b8a8928f63c0f
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWwwh

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 2 IoCs

Processes:

2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4588	explorer.exe
564	explorer.exe
4152	spoolsv.exe
4856	spoolsv.exe
1184	spoolsv.exe
4044	spoolsv.exe
3252	spoolsv.exe
1968	spoolsv.exe
3760	spoolsv.exe
3568	spoolsv.exe
3736	spoolsv.exe
4136	spoolsv.exe
3280	spoolsv.exe
1096	spoolsv.exe
684	spoolsv.exe
1948	spoolsv.exe
2664	spoolsv.exe
2028	spoolsv.exe
1432	spoolsv.exe
3984	spoolsv.exe
1980	spoolsv.exe
2764	spoolsv.exe
2084	spoolsv.exe
2148	spoolsv.exe
2960	spoolsv.exe
2416	spoolsv.exe
4680	spoolsv.exe
3576	spoolsv.exe
3556	spoolsv.exe
1584	spoolsv.exe
828	spoolsv.exe
1488	spoolsv.exe
4660	spoolsv.exe
3184	spoolsv.exe
1556	spoolsv.exe
928	spoolsv.exe
4404	spoolsv.exe
2352	spoolsv.exe
3092	explorer.exe
1540	spoolsv.exe
4784	spoolsv.exe
4420	spoolsv.exe
4804	spoolsv.exe
4696	spoolsv.exe
732	spoolsv.exe
2308	spoolsv.exe
2900	explorer.exe
1608	spoolsv.exe
4900	spoolsv.exe
4764	spoolsv.exe
5016	spoolsv.exe
4412	spoolsv.exe
3628	spoolsv.exe
4976	spoolsv.exe
652	spoolsv.exe
1972	spoolsv.exe
220	spoolsv.exe
4672	spoolsv.exe
4244	explorer.exe
1780	spoolsv.exe
3548	spoolsv.exe
3344	spoolsv.exe
1092	spoolsv.exe
1428	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 51 IoCs

Processes:

2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1212 set thread context of 2348	1212	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
PID 4588 set thread context of 564	4588	explorer.exe	explorer.exe
PID 4152 set thread context of 2352	4152	spoolsv.exe	spoolsv.exe
PID 4856 set thread context of 1540	4856	spoolsv.exe	spoolsv.exe
PID 1184 set thread context of 4784	1184	spoolsv.exe	spoolsv.exe
PID 4044 set thread context of 4804	4044	spoolsv.exe	spoolsv.exe
PID 3252 set thread context of 4696	3252	spoolsv.exe	spoolsv.exe
PID 1968 set thread context of 732	1968	spoolsv.exe	spoolsv.exe
PID 3760 set thread context of 2308	3760	spoolsv.exe	spoolsv.exe
PID 3568 set thread context of 1608	3568	spoolsv.exe	spoolsv.exe
PID 3736 set thread context of 4900	3736	spoolsv.exe	spoolsv.exe
PID 4136 set thread context of 4764	4136	spoolsv.exe	spoolsv.exe
PID 3280 set thread context of 5016	3280	spoolsv.exe	spoolsv.exe
PID 1096 set thread context of 4412	1096	spoolsv.exe	spoolsv.exe
PID 684 set thread context of 3628	684	spoolsv.exe	spoolsv.exe
PID 1948 set thread context of 652	1948	spoolsv.exe	spoolsv.exe
PID 2664 set thread context of 1972	2664	spoolsv.exe	spoolsv.exe
PID 2028 set thread context of 220	2028	spoolsv.exe	spoolsv.exe
PID 1432 set thread context of 4672	1432	spoolsv.exe	spoolsv.exe
PID 3984 set thread context of 1780	3984	spoolsv.exe	spoolsv.exe
PID 1980 set thread context of 3548	1980	spoolsv.exe	spoolsv.exe
PID 2764 set thread context of 3344	2764	spoolsv.exe	spoolsv.exe
PID 2084 set thread context of 1092	2084	spoolsv.exe	spoolsv.exe
PID 2148 set thread context of 1080	2148	spoolsv.exe	spoolsv.exe
PID 2960 set thread context of 1052	2960	spoolsv.exe	spoolsv.exe
PID 2416 set thread context of 4132	2416	spoolsv.exe	spoolsv.exe
PID 4680 set thread context of 112	4680	spoolsv.exe	spoolsv.exe
PID 3576 set thread context of 1820	3576	spoolsv.exe	spoolsv.exe
PID 3556 set thread context of 3896	3556	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 1936	1584	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 1720	828	spoolsv.exe	spoolsv.exe
PID 1488 set thread context of 3640	1488	spoolsv.exe	spoolsv.exe
PID 4660 set thread context of 640	4660	spoolsv.exe	spoolsv.exe
PID 3184 set thread context of 3060	3184	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 2572	1556	spoolsv.exe	spoolsv.exe
PID 928 set thread context of 2204	928	spoolsv.exe	spoolsv.exe
PID 4404 set thread context of 1760	4404	spoolsv.exe	spoolsv.exe
PID 3092 set thread context of 916	3092	explorer.exe	explorer.exe
PID 4420 set thread context of 3580	4420	spoolsv.exe	spoolsv.exe
PID 2900 set thread context of 2716	2900	explorer.exe	explorer.exe
PID 4976 set thread context of 1608	4976	spoolsv.exe	spoolsv.exe
PID 4244 set thread context of 1552	4244	explorer.exe	explorer.exe
PID 1428 set thread context of 3752	1428	spoolsv.exe	spoolsv.exe
PID 5092 set thread context of 5312	5092	explorer.exe	explorer.exe
PID 3272 set thread context of 5400	3272	spoolsv.exe	spoolsv.exe
PID 4256 set thread context of 1904	4256	spoolsv.exe	spoolsv.exe
PID 3100 set thread context of 5336	3100	explorer.exe	explorer.exe
PID 3824 set thread context of 6052	3824	spoolsv.exe	spoolsv.exe
PID 4612 set thread context of 6088	4612	explorer.exe	explorer.exe
PID 2328 set thread context of 1764	2328	spoolsv.exe	spoolsv.exe
PID 2992 set thread context of 5148	2992	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

spoolsv.exespoolsv.exeexplorer.exeexplorer.exe2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exeexplorer.exe

pid	process
2348	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
2348	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

564 explorer.exe

pid	process
564	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2348	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
2348	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
564	explorer.exe
2352	spoolsv.exe
2352	spoolsv.exe
1540	spoolsv.exe
1540	spoolsv.exe
4784	spoolsv.exe
4784	spoolsv.exe
4804	spoolsv.exe
4804	spoolsv.exe
4696	spoolsv.exe
4696	spoolsv.exe
732	spoolsv.exe
732	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
1608	spoolsv.exe
1608	spoolsv.exe
4900	spoolsv.exe
4900	spoolsv.exe
4764	spoolsv.exe
4764	spoolsv.exe
5016	spoolsv.exe
5016	spoolsv.exe
4412	spoolsv.exe
4412	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
652	spoolsv.exe
652	spoolsv.exe
1972	spoolsv.exe
1972	spoolsv.exe
220	spoolsv.exe
220	spoolsv.exe
4672	spoolsv.exe
4672	spoolsv.exe
1780	spoolsv.exe
1780	spoolsv.exe
3548	spoolsv.exe
3548	spoolsv.exe
3344	spoolsv.exe
3344	spoolsv.exe
1092	spoolsv.exe
1092	spoolsv.exe
1080	spoolsv.exe
1080	spoolsv.exe
1052	spoolsv.exe
1052	spoolsv.exe
4132	spoolsv.exe
4132	spoolsv.exe
112	spoolsv.exe
112	spoolsv.exe
1820	spoolsv.exe
1820	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe
1936	spoolsv.exe
1936	spoolsv.exe
1720	spoolsv.exe
1720	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1212 wrote to memory of 760	1212	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	splwow64.exe
PID 1212 wrote to memory of 760	1212	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	splwow64.exe
PID 1212 wrote to memory of 2348	1212	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
PID 1212 wrote to memory of 2348	1212	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
PID 1212 wrote to memory of 2348	1212	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
PID 1212 wrote to memory of 2348	1212	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
PID 1212 wrote to memory of 2348	1212	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
PID 2348 wrote to memory of 4588	2348	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	explorer.exe
PID 2348 wrote to memory of 4588	2348	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	explorer.exe
PID 2348 wrote to memory of 4588	2348	2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe	explorer.exe
PID 4588 wrote to memory of 564	4588	explorer.exe	explorer.exe
PID 4588 wrote to memory of 564	4588	explorer.exe	explorer.exe
PID 4588 wrote to memory of 564	4588	explorer.exe	explorer.exe
PID 4588 wrote to memory of 564	4588	explorer.exe	explorer.exe
PID 4588 wrote to memory of 564	4588	explorer.exe	explorer.exe
PID 564 wrote to memory of 4152	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4152	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4152	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4856	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4856	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4856	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1184	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1184	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1184	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4044	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4044	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4044	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3252	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3252	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3252	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1968	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1968	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1968	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3760	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3760	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3760	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3568	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3568	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3568	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3736	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3736	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3736	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4136	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4136	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 4136	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3280	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3280	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 3280	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1096	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1096	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1096	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 684	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 684	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 684	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1948	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1948	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1948	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 2664	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 2664	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 2664	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 2028	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 2028	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 2028	564	explorer.exe	spoolsv.exe
PID 564 wrote to memory of 1432	564	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
"C:\Users\Admin\AppData\Local\Temp\2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:760
- C:\Users\Admin\AppData\Local\Temp\2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe
  "C:\Users\Admin\AppData\Local\Temp\2ee266f12d146f934ea3e843f71c72824fdd3907821aaa3eec7de3a0e253df6c.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3092
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1184
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4044
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3252
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3760
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2900
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3568
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3736
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4136
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3280
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:684
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2664
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2028
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1432
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4672
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4244
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3984
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2764
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2148
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2960
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2416
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5092
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4680
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3576
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1584
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1488
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4660
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3184
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3060
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4404
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1760
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:4612
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4420
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3580
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:216
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4976
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3752
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3272
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5400
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4256
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1904
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3824
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2328
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2992
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2340
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2940
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6060
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2432
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4960
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4508
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4224
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1292
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3412
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
7d4a14398187e7862d238608b1afbf57

SHA1
4dc1dc88a8b3fb5126077bbc6b2bf77460ddb694

SHA256
78ee73d65c69c1dd12edad1288a76089cfc5d5fa5ad0b77bf5edb9a208f028df

SHA512
8fd5256b249480fece9a687be25fb959e7988296e2036b714e676c8f4948040fa02ce0f1050c9b7cc1e82f164d9e1916d0f4657eb1f1e015a57ee1f559b81fc8

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
2.2MB

MD5
0383ea79f7dd4d2eafae7faefa498843

SHA1
ae779aa7be0b352e4c72df61643840190d2f6459

SHA256
184a3d33d37ee4a31a1bfafc9fedc4f73c1e1ed980c37dd1a5e340487b7581c4

SHA512
a1a40aa7aef79b95a0a4c7845e01a07e57dceb4595655aaee773a8f98171b1065497ebfcc68d3287627e992cff01d7ee92e00cac4c416553853237f721db9b1c

Download Submit
memory/112-3031-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-2720-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/564-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/564-860-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/564-4566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-3170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/652-2702-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/684-1799-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/732-2482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/916-3653-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-2933-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-2919-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1092-2849-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1096-1723-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1184-1128-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1184-2440-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1212-34-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1212-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1212-27-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1212-0-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1432-2091-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1540-2377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1552-4772-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-2568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-2572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-4742-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-3137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-3133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1760-3507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-2822-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-2818-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-3042-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-3037-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-5579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-5460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-3125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1948-1800-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1968-1366-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1980-2175-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2028-1969-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2084-2349-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2148-2350-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2204-3314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-2761-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-2554-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-72-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2348-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-2541-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-2376-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2572-3302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-1882-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2716-4296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-2237-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2960-2363-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3060-3295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3252-1300-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3280-1620-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3344-2839-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-1477-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3580-4166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3580-4030-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3628-2684-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-3146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3736-1553-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3752-5048-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3760-1367-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3896-3115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-2092-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4044-1219-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4132-3206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4132-3020-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4136-1619-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4152-2367-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4152-981-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4412-2613-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-85-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4588-91-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4672-2810-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-2427-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4696-2472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-2590-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-2428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-2378-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4856-1067-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4900-2580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5016-2600-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5016-2604-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5144-5964-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5148-5636-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5148-5641-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5312-5227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5336-5469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5508-5943-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5528-5716-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5580-5956-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5724-5973-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5892-5808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6052-5801-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6052-5607-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6060-5829-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6088-5629-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download