Analysis

  • max time kernel
    142s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 09:14

General

  • Target

    f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    f1b789a7a8ef785b57357e53b97894a2

  • SHA1

    3b2e7d5c121d29f178c21d2d0465003f7cd01a65

  • SHA256

    4d5ee321d223c7e685bfafdd3e2a92dbc38cc86e1099efd8a40c87303fff8c54

  • SHA512

    7cda733e57cd1d0155bdf73ba88310d1134c5749065ecc424102cf1d47931165b8dc8fe806cb89d488e9d1162936325acc4e6e85e06375b556f64e4e8ae6c067

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZg:0UzeyQMS4DqodCnoe+iitjWwwM

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 49 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:5040
      • C:\Users\Admin\AppData\Local\Temp\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2376
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:3444
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3948
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2064
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3908
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:2468
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1960
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2368
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2116
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1896
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4900
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2760
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4024
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:4080
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4632
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4524
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3880
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:5000
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1628
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2268
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1344
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4556
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3676
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4512
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1556
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:532
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4380
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:4532
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:3104
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3680
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4904
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4284
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1688
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:1860
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3140
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:368
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:540
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4376
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4776
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3524
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1116
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1108
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3368
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:1080
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2184
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:4804
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1884
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3944
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3304
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4292
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3696
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3560
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1100
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2628
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2856
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:4840
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                      PID:1012
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:4772
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:876
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:3232
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:5096
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1156
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:912
                  • \??\c:\windows\system\explorer.exe
                    c:\windows\system\explorer.exe
                    7⤵
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:2340
                    • \??\c:\windows\system\explorer.exe
                      "c:\windows\system\explorer.exe"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:2412
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:3488
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:5100
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:4560
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:2328
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:4276
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:4576
                  • \??\c:\windows\system\explorer.exe
                    c:\windows\system\explorer.exe
                    7⤵
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:1332
                    • \??\c:\windows\system\explorer.exe
                      "c:\windows\system\explorer.exe"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:4472
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:4272
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3100
                  • \??\c:\windows\system\explorer.exe
                    c:\windows\system\explorer.exe
                    7⤵
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:3164
                    • \??\c:\windows\system\explorer.exe
                      "c:\windows\system\explorer.exe"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:396
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:1632
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                    PID:1368
                    • \??\c:\windows\system\explorer.exe
                      c:\windows\system\explorer.exe
                      7⤵
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:5076
                      • \??\c:\windows\system\explorer.exe
                        "c:\windows\system\explorer.exe"
                        8⤵
                          PID:4624
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:2056
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:4228
                      • \??\c:\windows\system\explorer.exe
                        c:\windows\system\explorer.exe
                        7⤵
                        • Drops file in Windows directory
                        PID:5064
                        • \??\c:\windows\system\explorer.exe
                          "c:\windows\system\explorer.exe"
                          8⤵
                            PID:2648
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      PID:3372
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:4920
                        • \??\c:\windows\system\explorer.exe
                          c:\windows\system\explorer.exe
                          7⤵
                          • Drops file in Windows directory
                          PID:3388
                          • \??\c:\windows\system\explorer.exe
                            "c:\windows\system\explorer.exe"
                            8⤵
                              PID:1196
                      • \??\c:\windows\system\spoolsv.exe
                        c:\windows\system\spoolsv.exe SE
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        PID:4796
                        • \??\c:\windows\system\spoolsv.exe
                          "c:\windows\system\spoolsv.exe"
                          6⤵
                            PID:4760
                            • \??\c:\windows\system\explorer.exe
                              c:\windows\system\explorer.exe
                              7⤵
                              • Drops file in Windows directory
                              PID:3148
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          PID:3088
                          • \??\c:\windows\system\spoolsv.exe
                            "c:\windows\system\spoolsv.exe"
                            6⤵
                            • System Location Discovery: System Language Discovery
                            PID:2660
                            • \??\c:\windows\system\explorer.exe
                              c:\windows\system\explorer.exe
                              7⤵
                              • Drops file in Windows directory
                              • System Location Discovery: System Language Discovery
                              PID:4428
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:4088
                          • \??\c:\windows\system\spoolsv.exe
                            "c:\windows\system\spoolsv.exe"
                            6⤵
                            • System Location Discovery: System Language Discovery
                            PID:4264
                            • \??\c:\windows\system\explorer.exe
                              c:\windows\system\explorer.exe
                              7⤵
                              • Drops file in Windows directory
                              • System Location Discovery: System Language Discovery
                              PID:1072
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          PID:3616
                          • \??\c:\windows\system\spoolsv.exe
                            "c:\windows\system\spoolsv.exe"
                            6⤵
                              PID:632
                              • \??\c:\windows\system\explorer.exe
                                c:\windows\system\explorer.exe
                                7⤵
                                • Drops file in Windows directory
                                PID:2640
                          • \??\c:\windows\system\spoolsv.exe
                            c:\windows\system\spoolsv.exe SE
                            5⤵
                            • Suspicious use of SetThreadContext
                            • Drops file in Windows directory
                            PID:1568
                            • \??\c:\windows\system\spoolsv.exe
                              "c:\windows\system\spoolsv.exe"
                              6⤵
                                PID:2008
                                • \??\c:\windows\system\explorer.exe
                                  c:\windows\system\explorer.exe
                                  7⤵
                                    PID:1516
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Suspicious use of SetThreadContext
                                • Drops file in Windows directory
                                PID:3000
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1152
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Suspicious use of SetThreadContext
                                PID:5024
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2888
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Drops file in Windows directory
                                • System Location Discovery: System Language Discovery
                                PID:3108
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                    PID:708
                                • \??\c:\windows\system\spoolsv.exe
                                  c:\windows\system\spoolsv.exe SE
                                  5⤵
                                  • Drops file in Windows directory
                                  PID:4520
                                  • \??\c:\windows\system\spoolsv.exe
                                    "c:\windows\system\spoolsv.exe"
                                    6⤵
                                      PID:4528
                                      • \??\c:\windows\system\explorer.exe
                                        c:\windows\system\explorer.exe
                                        7⤵
                                          PID:4176
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                        PID:4252
                                        • \??\c:\windows\system\spoolsv.exe
                                          "c:\windows\system\spoolsv.exe"
                                          6⤵
                                            PID:4484
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Drops file in Windows directory
                                          PID:3528
                                          • \??\c:\windows\system\spoolsv.exe
                                            "c:\windows\system\spoolsv.exe"
                                            6⤵
                                              PID:3276
                                              • \??\c:\windows\system\explorer.exe
                                                c:\windows\system\explorer.exe
                                                7⤵
                                                  PID:3916
                                            • \??\c:\windows\system\spoolsv.exe
                                              c:\windows\system\spoolsv.exe SE
                                              5⤵
                                              • Drops file in Windows directory
                                              PID:1004
                                              • \??\c:\windows\system\spoolsv.exe
                                                "c:\windows\system\spoolsv.exe"
                                                6⤵
                                                  PID:4964
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • Drops file in Windows directory
                                                • System Location Discovery: System Language Discovery
                                                PID:4720
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • Drops file in Windows directory
                                                PID:3124
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • Drops file in Windows directory
                                                PID:4540
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • Drops file in Windows directory
                                                • System Location Discovery: System Language Discovery
                                                PID:180
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • Drops file in Windows directory
                                                • System Location Discovery: System Language Discovery
                                                PID:3112
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • Drops file in Windows directory
                                                • System Location Discovery: System Language Discovery
                                                PID:4432
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • Drops file in Windows directory
                                                PID:3228
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4968
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                  PID:3196
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                    PID:4888
                                                  • \??\c:\windows\system\spoolsv.exe
                                                    c:\windows\system\spoolsv.exe SE
                                                    5⤵
                                                      PID:2788
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                                              1⤵
                                                PID:3740

                                              Network

                                              • flag-us
                                                DNS
                                                8.8.8.8.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                8.8.8.8.in-addr.arpa
                                                IN PTR
                                                Response
                                                8.8.8.8.in-addr.arpa
                                                IN PTR
                                                dnsgoogle
                                              • flag-us
                                                DNS
                                                13.86.106.20.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                13.86.106.20.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                172.214.232.199.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                172.214.232.199.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                71.159.190.20.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                71.159.190.20.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                183.59.114.20.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                183.59.114.20.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                171.39.242.20.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                171.39.242.20.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                45.56.20.217.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                45.56.20.217.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                240.221.184.93.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                240.221.184.93.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                31.243.111.52.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                31.243.111.52.in-addr.arpa
                                                IN PTR
                                                Response
                                              No results found
                                              • 8.8.8.8:53
                                                8.8.8.8.in-addr.arpa
                                                dns
                                                66 B
                                                90 B
                                                1
                                                1

                                                DNS Request

                                                8.8.8.8.in-addr.arpa

                                              • 8.8.8.8:53
                                                13.86.106.20.in-addr.arpa
                                                dns
                                                71 B
                                                157 B
                                                1
                                                1

                                                DNS Request

                                                13.86.106.20.in-addr.arpa

                                              • 8.8.8.8:53
                                                172.214.232.199.in-addr.arpa
                                                dns
                                                74 B
                                                128 B
                                                1
                                                1

                                                DNS Request

                                                172.214.232.199.in-addr.arpa

                                              • 8.8.8.8:53
                                                71.159.190.20.in-addr.arpa
                                                dns
                                                72 B
                                                158 B
                                                1
                                                1

                                                DNS Request

                                                71.159.190.20.in-addr.arpa

                                              • 8.8.8.8:53
                                                183.59.114.20.in-addr.arpa
                                                dns
                                                72 B
                                                158 B
                                                1
                                                1

                                                DNS Request

                                                183.59.114.20.in-addr.arpa

                                              • 8.8.8.8:53
                                                171.39.242.20.in-addr.arpa
                                                dns
                                                72 B
                                                158 B
                                                1
                                                1

                                                DNS Request

                                                171.39.242.20.in-addr.arpa

                                              • 8.8.8.8:53
                                                45.56.20.217.in-addr.arpa
                                                dns
                                                71 B
                                                131 B
                                                1
                                                1

                                                DNS Request

                                                45.56.20.217.in-addr.arpa

                                              • 8.8.8.8:53
                                                240.221.184.93.in-addr.arpa
                                                dns
                                                73 B
                                                144 B
                                                1
                                                1

                                                DNS Request

                                                240.221.184.93.in-addr.arpa

                                              • 8.8.8.8:53
                                                31.243.111.52.in-addr.arpa
                                                dns
                                                72 B
                                                158 B
                                                1
                                                1

                                                DNS Request

                                                31.243.111.52.in-addr.arpa

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Windows\Parameters.ini

                                                Filesize

                                                74B

                                                MD5

                                                6687785d6a31cdf9a5f80acb3abc459b

                                                SHA1

                                                1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

                                                SHA256

                                                3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

                                                SHA512

                                                5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

                                              • C:\Windows\System\explorer.exe

                                                Filesize

                                                2.2MB

                                                MD5

                                                04b43629997538a51c289322038e690d

                                                SHA1

                                                152ae312b72b9a1d51f64c86fffb2ce54e486840

                                                SHA256

                                                3ad06e02294a3a88d9df4f48ea671cb6222b8e782d65cb6a66f40d1251d4bdf3

                                                SHA512

                                                517453239316203fab5b44265b6cdefbb2774caea6f6c013f19f9bb1b2b4cd9766f2547428fd50bdae18a75f0cb7552e60ecefb01205d243056a0703b83a775d

                                              • C:\Windows\System\spoolsv.exe

                                                Filesize

                                                2.2MB

                                                MD5

                                                b2d95dbfe26a8f99572b1659649c36fe

                                                SHA1

                                                a2b451ed804401f3fa8cd9e57d4addc9579f423f

                                                SHA256

                                                57cbfda3e171b0faa182cbdce37a8f520c9b09b2b62ef6017d90fd494e7664bd

                                                SHA512

                                                e4d02aff62ad16bf1c10de5ab26285774c188edf10224a364746c55e536c3b51ea1de2b48766e71b237fd92bcf637e6c8844b4cdd54a0156d847bfc76af562b6

                                              • memory/396-4668-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/532-1336-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/540-4088-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/632-4598-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/912-3135-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/912-2938-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1012-4484-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1080-1849-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/1100-2756-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1100-2753-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1108-1772-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/1116-2563-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1116-2567-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1152-4639-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1196-5101-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1344-2159-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1344-2162-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1368-3601-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1556-2191-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1628-3696-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1688-2411-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1688-2406-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/1860-1546-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/1896-1961-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/1896-907-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/1960-3507-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2008-4805-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2008-4622-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2064-705-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/2064-1858-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/2116-1917-0x0000000000440000-0x0000000000509000-memory.dmp

                                                Filesize

                                                804KB

                                              • memory/2116-1929-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2184-2719-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2268-1151-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/2328-3055-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2368-851-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/2368-1940-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/2376-45-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2376-46-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2376-83-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2412-4631-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2628-1965-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/2648-5082-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2660-4226-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2760-1969-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/2760-983-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/2856-2931-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/2856-2861-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3100-3417-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3104-3915-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3140-2465-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3140-2626-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3276-5078-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3304-2735-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3368-2575-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3368-2577-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3444-94-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/3444-100-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/3524-1700-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/3560-1952-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/3676-2171-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3680-1402-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/3696-2743-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3880-2302-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3908-1857-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3908-2048-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3944-1856-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/3948-3794-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3948-630-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/3948-99-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4024-1971-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4080-1034-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4228-3686-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4228-3765-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4264-4384-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4284-1474-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4292-1896-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4376-1608-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4380-2320-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4472-4649-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4484-4910-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4512-1264-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4524-1090-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4528-4819-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4556-1212-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4576-3291-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4632-1979-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4760-4025-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4772-1973-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4776-2553-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4776-2555-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4796-42-0x0000000000780000-0x0000000000781000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/4796-41-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4796-0-0x0000000000780000-0x0000000000781000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/4796-49-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                Filesize

                                                1.8MB

                                              • memory/4900-1959-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4904-2372-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4904-2369-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4920-3795-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4920-3889-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/4964-5089-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              • memory/5096-2881-0x0000000000400000-0x000000000043E000-memory.dmp

                                                Filesize

                                                248KB

                                              We care about your privacy.

                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.