azorult | 47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
Size

1.9MB
MD5

b1d2c6a081a911db6157479403f6b279
SHA1

63983454fcf3e5c8d4adad7566b1048922819164
SHA256

47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727
SHA512

0c7847a5dc144a5a293d57e2aad923adbfcb48afb91374d76d1800b4868863bf18606dfdb9c0453f5d3bc20594b324c8a6f131f5c59416b7c574442b4edf80b3
SSDEEP

24576:+HZQS+B2kOVzDiaEwWWoFxUt0ChpFd0hjxx7Rr10:LgVTWWpt7pFd0DxB10

Score

10^/10

azorult evasion infostealer persistence trojan upx

Malware Config

Extracted

Family

azorult

http://23.94.253.127/sky/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2668	b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe
1984	icsys.icn.exe
3012	icsys.icn.exe
2364	explorer.exe
844	explorer.exe
620	spoolsv.exe
3068	spoolsv.exe
1080	spoolsv.exe
2900	spoolsv.exe
1660	spoolsv.exe
616	spoolsv.exe
900	spoolsv.exe
2936	spoolsv.exe
1604	spoolsv.exe
2308	spoolsv.exe
1900	spoolsv.exe
2932	spoolsv.exe
668	spoolsv.exe
2880	spoolsv.exe
2560	spoolsv.exe
2576	spoolsv.exe
1164	spoolsv.exe
2724	spoolsv.exe
2508	spoolsv.exe
2792	spoolsv.exe
2528	spoolsv.exe
2652	spoolsv.exe
2804	spoolsv.exe
2240	spoolsv.exe
2404	spoolsv.exe
2740	spoolsv.exe
1496	spoolsv.exe
2220	spoolsv.exe
2864	spoolsv.exe
2840	spoolsv.exe
1652	spoolsv.exe
1516	spoolsv.exe
1500	spoolsv.exe
636	spoolsv.exe
2264	spoolsv.exe
2232	spoolsv.exe
1372	spoolsv.exe
2016	spoolsv.exe
1868	spoolsv.exe
1776	spoolsv.exe
1420	spoolsv.exe
1068	spoolsv.exe
324	spoolsv.exe
2684	spoolsv.exe
2620	spoolsv.exe
2668	spoolsv.exe
1960	spoolsv.exe
1672	spoolsv.exe
1476	spoolsv.exe
1892	spoolsv.exe
2132	spoolsv.exe
1556	spoolsv.exe
1544	spoolsv.exe
1472	spoolsv.exe
768	spoolsv.exe
2416	spoolsv.exe
2004	spoolsv.exe
332	spoolsv.exe
1992	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
3012	icsys.icn.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/948-0-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/948-2-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/948-6-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/948-22-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/files/0x00090000000155f3-36.dat	upx
behavioral1/memory/1984-43-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1984-44-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1984-56-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1984-68-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/files/0x000b0000000149f5-64.dat	upx
behavioral1/files/0x000b000000015018-78.dat	upx
behavioral1/memory/2364-86-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2364-89-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2364-92-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2364-111-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/files/0x000b000000015c52-117.dat	upx
behavioral1/memory/844-119-0x00000000032D0000-0x00000000034A5000-memory.dmp	upx
behavioral1/memory/3068-130-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1080-136-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2900-142-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1660-149-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/616-157-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/620-156-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/3068-163-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/900-164-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2936-170-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2900-175-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2308-183-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1660-182-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1900-191-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/616-190-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/668-202-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1604-208-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2880-209-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2560-221-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2576-222-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1164-229-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2932-230-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2724-236-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/668-242-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2508-249-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2792-248-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2528-257-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2652-263-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2240-276-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1164-274-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2724-352-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2792-441-0x0000000000400000-0x00000000005D5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\vidccleaner.exe"	icsys.icn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe"	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 1984 set thread context of 3012	1984	icsys.icn.exe	35
PID 2364 set thread context of 844	2364	explorer.exe	37

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	icsys.icn.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
3012	icsys.icn.exe
3012	icsys.icn.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 948 wrote to memory of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 948 wrote to memory of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 948 wrote to memory of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 948 wrote to memory of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 948 wrote to memory of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 948 wrote to memory of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 948 wrote to memory of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 948 wrote to memory of 2656	948	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2668	2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	29
PID 2656 wrote to memory of 2668	2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	29
PID 2656 wrote to memory of 2668	2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	29
PID 2656 wrote to memory of 2668	2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	29
PID 2656 wrote to memory of 1984	2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	34
PID 2656 wrote to memory of 1984	2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	34
PID 2656 wrote to memory of 1984	2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	34
PID 2656 wrote to memory of 1984	2656	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	34
PID 1984 wrote to memory of 3012	1984	icsys.icn.exe	35
PID 1984 wrote to memory of 3012	1984	icsys.icn.exe	35
PID 1984 wrote to memory of 3012	1984	icsys.icn.exe	35
PID 1984 wrote to memory of 3012	1984	icsys.icn.exe	35
PID 1984 wrote to memory of 3012	1984	icsys.icn.exe	35
PID 1984 wrote to memory of 3012	1984	icsys.icn.exe	35
PID 1984 wrote to memory of 3012	1984	icsys.icn.exe	35
PID 1984 wrote to memory of 3012	1984	icsys.icn.exe	35
PID 1984 wrote to memory of 3012	1984	icsys.icn.exe	35
PID 3012 wrote to memory of 2364	3012	icsys.icn.exe	36
PID 3012 wrote to memory of 2364	3012	icsys.icn.exe	36
PID 3012 wrote to memory of 2364	3012	icsys.icn.exe	36
PID 3012 wrote to memory of 2364	3012	icsys.icn.exe	36
PID 2364 wrote to memory of 844	2364	explorer.exe	37
PID 2364 wrote to memory of 844	2364	explorer.exe	37
PID 2364 wrote to memory of 844	2364	explorer.exe	37
PID 2364 wrote to memory of 844	2364	explorer.exe	37
PID 2364 wrote to memory of 844	2364	explorer.exe	37
PID 2364 wrote to memory of 844	2364	explorer.exe	37
PID 2364 wrote to memory of 844	2364	explorer.exe	37
PID 2364 wrote to memory of 844	2364	explorer.exe	37
PID 2364 wrote to memory of 844	2364	explorer.exe	37
PID 844 wrote to memory of 620	844	explorer.exe	38
PID 844 wrote to memory of 620	844	explorer.exe	38
PID 844 wrote to memory of 620	844	explorer.exe	38
PID 844 wrote to memory of 620	844	explorer.exe	38
PID 844 wrote to memory of 3068	844	explorer.exe	39
PID 844 wrote to memory of 3068	844	explorer.exe	39
PID 844 wrote to memory of 3068	844	explorer.exe	39
PID 844 wrote to memory of 3068	844	explorer.exe	39
PID 844 wrote to memory of 1080	844	explorer.exe	40
PID 844 wrote to memory of 1080	844	explorer.exe	40
PID 844 wrote to memory of 1080	844	explorer.exe	40
PID 844 wrote to memory of 1080	844	explorer.exe	40
PID 844 wrote to memory of 2900	844	explorer.exe	41
PID 844 wrote to memory of 2900	844	explorer.exe	41
PID 844 wrote to memory of 2900	844	explorer.exe	41
PID 844 wrote to memory of 2900	844	explorer.exe	41
PID 844 wrote to memory of 1660	844	explorer.exe	42
PID 844 wrote to memory of 1660	844	explorer.exe	42
PID 844 wrote to memory of 1660	844	explorer.exe	42
PID 844 wrote to memory of 1660	844	explorer.exe	42
PID 844 wrote to memory of 616	844	explorer.exe	43
PID 844 wrote to memory of 616	844	explorer.exe	43
PID 844 wrote to memory of 616	844	explorer.exe	43
PID 844 wrote to memory of 616	844	explorer.exe	43
PID 844 wrote to memory of 900	844	explorer.exe	44

C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe
    c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe
    3⤵
    - Executes dropped EXE
    PID:2668
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3012
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:620
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1080
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1660
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1604
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2880
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2560
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1164
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2508
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2792
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2528
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2804
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2240
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2740
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1496
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2220
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2864
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2840
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2232
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1372
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1776
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1420
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2620
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2132
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1472
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:768
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2416
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:332
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1992
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1620
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2120
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2096
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2348
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2396
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1632
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2176
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2092
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2644
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2896
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2788
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2504
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2148
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\MiniCalc.exe

Filesize
1.9MB

MD5
b1d2c6a081a911db6157479403f6b279

SHA1
63983454fcf3e5c8d4adad7566b1048922819164

SHA256
47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727

SHA512
0c7847a5dc144a5a293d57e2aad923adbfcb48afb91374d76d1800b4868863bf18606dfdb9c0453f5d3bc20594b324c8a6f131f5c59416b7c574442b4edf80b3

Download Submit
\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe

Filesize
112KB

MD5
24cfc52ce3106b792d93e96634372215

SHA1
875f00987bc65d4dab5f99168d622f6b40cc7c9f

SHA256
382171d2fa4d6d713846dbdaafd2a0bd6b6509f1759bb58e524fee060591f98d

SHA512
87e27fc9ebf6842ada5297efcb273bf11ef97ecfbd5823d55c056c65de28ac65bd61f58e2955a0719587c13dc0efd539074853b8ae29efd204919bb70ebb9d0e

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
1.8MB

MD5
1ceb2c97afd546cfa87804f13c905b2f

SHA1
d853f522786e15133feda59f2e56a59a60fb70a4

SHA256
a11c8c2fdab3ed8c2189bad71ba22f882547fb453d58ccd674d5355475950cd4

SHA512
f388b955a4070b1544d03a3268f149f847584e5f84fde1df27ee4aaf4a34cd2443fe5c216eb9373357afca496f7c5e6d60d4a7bbc84c44cd999dd5248902d78a

Download Submit
\Windows\system\explorer.exe

Filesize
2.0MB

MD5
0a9e7a7aa5a0959ec5f4d342a721e0f5

SHA1
697745897b2d051fcf8d0dce9514b6f821b19a49

SHA256
2975eff9c85808dbaca26c1ac71ed0d14a0752ccdce1009d97442d3631bde662

SHA512
f03842d81d074a3b95530d3883e72dfa7a16ec7a058558dc7608546dcaf0a579c073cdc05d321a9fb2cac9271f495f3e7be1a91d0169a7d4294bc242908103a1

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.0MB

MD5
ae3c3526a6ae888a227b9aef8c113ac0

SHA1
5e983e2bfad5639587d0d5b4f0aa091f2db9ccc3

SHA256
c2ddd622c05f5be48c42b852adf5d497fe5ab6a0fa66f31998ca758cded305b7

SHA512
42dab5f231fad719e92569f3e6119c4dc3ed4a7337fbd91b9e1901aec54d5b85cfdb153b8ac438449b16583ea9213520ebb5f1d38387cec4593031d5b182eda1

Download Submit
memory/616-157-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/616-190-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/620-156-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/668-242-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/668-202-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/844-275-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-250-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-119-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-256-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-129-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-223-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-215-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-148-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-154-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-189-0x00000000032D0000-0x00000000034A5000-memory.dmp

Filesize
1.8MB

Download
memory/844-437-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/900-164-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/948-6-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/948-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/948-0-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/948-2-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/948-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/948-22-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1080-136-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1164-274-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1164-229-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1604-208-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1660-149-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1660-182-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1900-191-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1984-44-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1984-43-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1984-56-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1984-68-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2240-276-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2308-183-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2364-86-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2364-92-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2364-89-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2364-111-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2508-249-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2528-257-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2560-221-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2576-222-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2652-263-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2656-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-23-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/2656-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-42-0x0000000003270000-0x0000000003445000-memory.dmp

Filesize
1.8MB

Download
memory/2656-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-40-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/2656-47-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/2656-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2668-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2668-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2724-236-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2724-352-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2792-441-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2792-248-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2880-209-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2900-175-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2900-142-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2932-230-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2936-170-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3012-85-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/3012-71-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/3012-82-0x0000000003280000-0x0000000003455000-memory.dmp

Filesize
1.8MB

Download
memory/3068-163-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3068-130-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download