Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 15:06

General

  • Target

    eb97e7a36339fcf00fa4639ef481e2dc_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    eb97e7a36339fcf00fa4639ef481e2dc

  • SHA1

    1d3dac1ea55dcddead9fb850e3afbefcb0efd3fa

  • SHA256

    b52958adf1c86b2364d4d87eab9acaa5a47706ffa43b4cd4eb7a5c2fceda8826

  • SHA512

    5f5ceb5fcf95269de8542c81d0b04e6fcea5aa04f2eb6dec10fd4b010cec5784c8ecb7db576ad39032d68c6fb6c014b7ded86cbda896e01629405afd0051a106

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZM:0UzeyQMS4DqodCnoe+iitjWww4

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 55 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb97e7a36339fcf00fa4639ef481e2dc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb97e7a36339fcf00fa4639ef481e2dc_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:4764
      • C:\Users\Admin\AppData\Local\Temp\eb97e7a36339fcf00fa4639ef481e2dc_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\eb97e7a36339fcf00fa4639ef481e2dc_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1428
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4156
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2560
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4580
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3584
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:1016
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1644
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1880
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:5008
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:5004
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2756
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:312
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3780
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  PID:3236
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2444
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2452
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2756
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3444
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3968
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2308
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:540
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1900
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:3284
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:5112
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1824
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1984
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3092
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2700
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4488
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:4224
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2504
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:3324
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                      PID:2396
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:1872
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:5072
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:3212
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3500
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:1648
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:452
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:3736
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1992
                  • \??\c:\windows\system\explorer.exe
                    c:\windows\system\explorer.exe
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:1936
                    • \??\c:\windows\system\explorer.exe
                      "c:\windows\system\explorer.exe"
                      8⤵
                        PID:2064
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:4008
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1944
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3532
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1684
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:3568
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1580
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:732
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:3308
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:2996
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:3980
                    • \??\c:\windows\system\explorer.exe
                      c:\windows\system\explorer.exe
                      7⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      PID:392
                      • \??\c:\windows\system\explorer.exe
                        "c:\windows\system\explorer.exe"
                        8⤵
                          PID:4692
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:376
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:1748
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    PID:1852
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:3372
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:1504
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:524
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:1052
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:4936
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:3788
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:3096
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:432
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:2312
                      • \??\c:\windows\system\explorer.exe
                        c:\windows\system\explorer.exe
                        7⤵
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        PID:1296
                        • \??\c:\windows\system\explorer.exe
                          "c:\windows\system\explorer.exe"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:1060
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:2528
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:3616
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    PID:800
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:5076
                      • \??\c:\windows\system\explorer.exe
                        c:\windows\system\explorer.exe
                        7⤵
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        PID:1316
                        • \??\c:\windows\system\explorer.exe
                          "c:\windows\system\explorer.exe"
                          8⤵
                            PID:4984
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      PID:4556
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                          PID:3368
                          • \??\c:\windows\system\explorer.exe
                            c:\windows\system\explorer.exe
                            7⤵
                            • Suspicious use of SetThreadContext
                            • Drops file in Windows directory
                            PID:1840
                            • \??\c:\windows\system\explorer.exe
                              "c:\windows\system\explorer.exe"
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:3460
                      • \??\c:\windows\system\spoolsv.exe
                        c:\windows\system\spoolsv.exe SE
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        PID:2264
                        • \??\c:\windows\system\spoolsv.exe
                          "c:\windows\system\spoolsv.exe"
                          6⤵
                            PID:1536
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          PID:3064
                          • \??\c:\windows\system\spoolsv.exe
                            "c:\windows\system\spoolsv.exe"
                            6⤵
                              PID:4368
                              • \??\c:\windows\system\explorer.exe
                                c:\windows\system\explorer.exe
                                7⤵
                                • Suspicious use of SetThreadContext
                                • Drops file in Windows directory
                                • System Location Discovery: System Language Discovery
                                PID:4940
                                • \??\c:\windows\system\explorer.exe
                                  "c:\windows\system\explorer.exe"
                                  8⤵
                                    PID:3028
                            • \??\c:\windows\system\spoolsv.exe
                              c:\windows\system\spoolsv.exe SE
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Drops file in Windows directory
                              PID:2140
                              • \??\c:\windows\system\spoolsv.exe
                                "c:\windows\system\spoolsv.exe"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:664
                                • \??\c:\windows\system\explorer.exe
                                  c:\windows\system\explorer.exe
                                  7⤵
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  PID:3328
                            • \??\c:\windows\system\spoolsv.exe
                              c:\windows\system\spoolsv.exe SE
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              PID:4996
                              • \??\c:\windows\system\spoolsv.exe
                                "c:\windows\system\spoolsv.exe"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:4384
                                • \??\c:\windows\system\explorer.exe
                                  c:\windows\system\explorer.exe
                                  7⤵
                                  • Drops file in Windows directory
                                  PID:3936
                            • \??\c:\windows\system\spoolsv.exe
                              c:\windows\system\spoolsv.exe SE
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Drops file in Windows directory
                              • System Location Discovery: System Language Discovery
                              PID:4392
                              • \??\c:\windows\system\spoolsv.exe
                                "c:\windows\system\spoolsv.exe"
                                6⤵
                                  PID:1304
                                  • \??\c:\windows\system\explorer.exe
                                    c:\windows\system\explorer.exe
                                    7⤵
                                    • Drops file in Windows directory
                                    PID:4924
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Suspicious use of SetThreadContext
                                • Drops file in Windows directory
                                PID:4344
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4056
                                  • \??\c:\windows\system\explorer.exe
                                    c:\windows\system\explorer.exe
                                    7⤵
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    PID:4160
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Suspicious use of SetThreadContext
                                • Drops file in Windows directory
                                PID:4508
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                    PID:1280
                                • \??\c:\windows\system\spoolsv.exe
                                  c:\windows\system\spoolsv.exe SE
                                  5⤵
                                  • Suspicious use of SetThreadContext
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  PID:4080
                                  • \??\c:\windows\system\spoolsv.exe
                                    "c:\windows\system\spoolsv.exe"
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3048
                                    • \??\c:\windows\system\explorer.exe
                                      c:\windows\system\explorer.exe
                                      7⤵
                                        PID:4088
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Suspicious use of SetThreadContext
                                    PID:3268
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                        PID:3744
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Suspicious use of SetThreadContext
                                      • Drops file in Windows directory
                                      PID:4716
                                      • \??\c:\windows\system\spoolsv.exe
                                        "c:\windows\system\spoolsv.exe"
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1752
                                        • \??\c:\windows\system\explorer.exe
                                          c:\windows\system\explorer.exe
                                          7⤵
                                          • Drops file in Windows directory
                                          • System Location Discovery: System Language Discovery
                                          PID:4560
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Suspicious use of SetThreadContext
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:3056
                                      • \??\c:\windows\system\spoolsv.exe
                                        "c:\windows\system\spoolsv.exe"
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:448
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Suspicious use of SetThreadContext
                                      • System Location Discovery: System Language Discovery
                                      PID:2368
                                      • \??\c:\windows\system\spoolsv.exe
                                        "c:\windows\system\spoolsv.exe"
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1652
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Suspicious use of SetThreadContext
                                      • Drops file in Windows directory
                                      PID:1956
                                      • \??\c:\windows\system\spoolsv.exe
                                        "c:\windows\system\spoolsv.exe"
                                        6⤵
                                          PID:4528
                                          • \??\c:\windows\system\explorer.exe
                                            c:\windows\system\explorer.exe
                                            7⤵
                                            • Drops file in Windows directory
                                            • System Location Discovery: System Language Discovery
                                            PID:328
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Suspicious use of SetThreadContext
                                        • Drops file in Windows directory
                                        • System Location Discovery: System Language Discovery
                                        PID:3748
                                        • \??\c:\windows\system\spoolsv.exe
                                          "c:\windows\system\spoolsv.exe"
                                          6⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5032
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        • System Location Discovery: System Language Discovery
                                        PID:1868
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:4112
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        • System Location Discovery: System Language Discovery
                                        PID:1560
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        • System Location Discovery: System Language Discovery
                                        PID:2736
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                          PID:116
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Drops file in Windows directory
                                          PID:4296
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Drops file in Windows directory
                                          • System Location Discovery: System Language Discovery
                                          PID:4496
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Drops file in Windows directory
                                          PID:1980
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Drops file in Windows directory
                                          • System Location Discovery: System Language Discovery
                                          PID:3508
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Drops file in Windows directory
                                          PID:2304
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                            PID:4872
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Drops file in Windows directory
                                            PID:2688
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Drops file in Windows directory
                                            • System Location Discovery: System Language Discovery
                                            PID:4524
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Drops file in Windows directory
                                            PID:2488
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                              PID:1692
                                            • \??\c:\windows\system\spoolsv.exe
                                              c:\windows\system\spoolsv.exe SE
                                              5⤵
                                                PID:1668
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                                        1⤵
                                          PID:4916

                                        Network

                                        • flag-us
                                          DNS
                                          8.8.8.8.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          8.8.8.8.in-addr.arpa
                                          IN PTR
                                          Response
                                          8.8.8.8.in-addr.arpa
                                          IN PTR
                                          dnsgoogle
                                        • flag-us
                                          DNS
                                          241.150.49.20.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          241.150.49.20.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          172.214.232.199.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          172.214.232.199.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          95.221.229.192.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          95.221.229.192.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          68.32.126.40.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          68.32.126.40.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          104.219.191.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          104.219.191.52.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          183.59.114.20.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          183.59.114.20.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          171.39.242.20.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          171.39.242.20.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          172.210.232.199.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          172.210.232.199.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          240.143.123.92.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          240.143.123.92.in-addr.arpa
                                          IN PTR
                                          Response
                                          240.143.123.92.in-addr.arpa
                                          IN PTR
                                          a92-123-143-240deploystaticakamaitechnologiescom
                                        • flag-us
                                          DNS
                                          19.229.111.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          19.229.111.52.in-addr.arpa
                                          IN PTR
                                          Response
                                        No results found
                                        • 8.8.8.8:53
                                          8.8.8.8.in-addr.arpa
                                          dns
                                          66 B
                                          90 B
                                          1
                                          1

                                          DNS Request

                                          8.8.8.8.in-addr.arpa

                                        • 8.8.8.8:53
                                          241.150.49.20.in-addr.arpa
                                          dns
                                          72 B
                                          158 B
                                          1
                                          1

                                          DNS Request

                                          241.150.49.20.in-addr.arpa

                                        • 8.8.8.8:53
                                          172.214.232.199.in-addr.arpa
                                          dns
                                          74 B
                                          128 B
                                          1
                                          1

                                          DNS Request

                                          172.214.232.199.in-addr.arpa

                                        • 8.8.8.8:53
                                          95.221.229.192.in-addr.arpa
                                          dns
                                          73 B
                                          144 B
                                          1
                                          1

                                          DNS Request

                                          95.221.229.192.in-addr.arpa

                                        • 8.8.8.8:53
                                          68.32.126.40.in-addr.arpa
                                          dns
                                          71 B
                                          157 B
                                          1
                                          1

                                          DNS Request

                                          68.32.126.40.in-addr.arpa

                                        • 8.8.8.8:53
                                          104.219.191.52.in-addr.arpa
                                          dns
                                          73 B
                                          147 B
                                          1
                                          1

                                          DNS Request

                                          104.219.191.52.in-addr.arpa

                                        • 8.8.8.8:53
                                          183.59.114.20.in-addr.arpa
                                          dns
                                          72 B
                                          158 B
                                          1
                                          1

                                          DNS Request

                                          183.59.114.20.in-addr.arpa

                                        • 8.8.8.8:53
                                          171.39.242.20.in-addr.arpa
                                          dns
                                          72 B
                                          158 B
                                          1
                                          1

                                          DNS Request

                                          171.39.242.20.in-addr.arpa

                                        • 8.8.8.8:53
                                          172.210.232.199.in-addr.arpa
                                          dns
                                          74 B
                                          128 B
                                          1
                                          1

                                          DNS Request

                                          172.210.232.199.in-addr.arpa

                                        • 8.8.8.8:53
                                          240.143.123.92.in-addr.arpa
                                          dns
                                          73 B
                                          139 B
                                          1
                                          1

                                          DNS Request

                                          240.143.123.92.in-addr.arpa

                                        • 8.8.8.8:53
                                          19.229.111.52.in-addr.arpa
                                          dns
                                          72 B
                                          158 B
                                          1
                                          1

                                          DNS Request

                                          19.229.111.52.in-addr.arpa

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Windows\Parameters.ini

                                          Filesize

                                          74B

                                          MD5

                                          6687785d6a31cdf9a5f80acb3abc459b

                                          SHA1

                                          1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

                                          SHA256

                                          3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

                                          SHA512

                                          5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

                                        • C:\Windows\System\explorer.exe

                                          Filesize

                                          2.2MB

                                          MD5

                                          4466342fd898815d3b756b277bb731f7

                                          SHA1

                                          5b9108c3402032f3c3c7c522f049b0cbabd8f7db

                                          SHA256

                                          9e4dc2ac382818827c1c31b8776807136c7f491e20221b535dacaa79f80e3027

                                          SHA512

                                          c87eb00da16280552fef3285e72f7155381e3095dfedf9507a12dcd93e2841584e6a2af2b8101eb67fd71d5484543451e81a8437c918c16db002cca1d3c77c1f

                                        • \??\c:\windows\system\spoolsv.exe

                                          Filesize

                                          2.2MB

                                          MD5

                                          c795daaaac0409618a0195a542facfc4

                                          SHA1

                                          5a5a6d0d1e7af1cf5e9e0c9150edfbc7189c7cd3

                                          SHA256

                                          fd2bd7c533f88e80eeca661a505fe352870a0d69e6f99e074c16d86913b8c32a

                                          SHA512

                                          436292fd95b5b011181183e2ae22f49938d9750cad79d6fb8c150bac28b8f0f5095f2b4f9a48ce5bac5cfb53321571081d6a1ca1c9690758454eb361a8509ebf

                                        • memory/312-931-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/312-2044-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/376-2038-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/448-4984-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/448-4981-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/452-2491-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/524-2817-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/540-2268-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/540-2430-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/664-3870-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/732-1910-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1060-4554-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1280-4562-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1304-4523-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1428-49-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1428-50-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1428-93-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1504-2089-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1536-3393-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1644-3194-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1648-1754-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1652-4997-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1684-2632-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1748-2795-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1748-2797-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1752-5109-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1824-2281-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1824-2278-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1852-2088-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1872-1620-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1880-1912-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1880-787-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1944-2625-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1944-2621-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1984-1388-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1992-2614-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/1992-2712-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2308-1246-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/2312-2956-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2312-3050-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2396-3748-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2444-3374-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2452-1014-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/2504-2561-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2504-2449-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2560-3736-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2560-719-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2560-109-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2700-1451-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/2756-2135-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2756-1988-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/2996-1980-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3028-5139-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3048-4855-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3092-2293-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3092-2289-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3096-2841-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3096-2837-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3212-1692-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3216-54-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3216-47-0x0000000002590000-0x0000000002591000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/3216-46-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3216-0-0x0000000002590000-0x0000000002591000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/3284-3593-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3308-2663-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3368-3440-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3372-2806-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3444-1080-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3500-2471-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3532-1899-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3568-1900-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3584-1905-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3584-2025-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3616-2968-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3736-1831-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3744-4823-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3780-2043-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3780-2180-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3968-2147-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/3980-2933-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4008-1898-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/4056-4544-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4056-4713-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4156-104-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/4156-110-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/4224-1518-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/4368-3583-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4368-3661-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4384-4168-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4488-2301-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4528-5314-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4528-5129-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4580-786-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/4580-1907-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/4692-4385-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4936-2829-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4936-2826-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/4984-4813-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/5004-1986-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5004-854-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5008-1918-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/5032-5222-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/5072-2458-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/5076-3232-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/5076-3113-0x0000000000400000-0x000000000043E000-memory.dmp

                                          Filesize

                                          248KB

                                        • memory/5112-1322-0x0000000000400000-0x00000000005D3000-memory.dmp

                                          Filesize

                                          1.8MB

                                        We care about your privacy.

                                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.