Analysis

  • max time kernel
    143s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 02:32

General

  • Target

    f75ddda667322e416999c0cf7ef30666_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    f75ddda667322e416999c0cf7ef30666

  • SHA1

    db1046ebb9af64533dfd94669c32effff374bb0c

  • SHA256

    303dcfd2b6d786120a52d2e291aeb64085de0c320f8f3b953b7dfd64c8ff5db3

  • SHA512

    9a0d890b6b0eb8bb61301b8c5b08578dbac3bd748a357dda8ff598473c840738076cd843d604baddd9ce766b85acc8ad37dce209018582939b3dc24c4e1400dd

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZB:0UzeyQMS4DqodCnoe+iitjWwwN

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 53 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f75ddda667322e416999c0cf7ef30666_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f75ddda667322e416999c0cf7ef30666_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2776
      • C:\Users\Admin\AppData\Local\Temp\f75ddda667322e416999c0cf7ef30666_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f75ddda667322e416999c0cf7ef30666_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1420
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4776
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:648
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:5104
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:5076
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:3732
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                      PID:1032
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2604
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3996
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:4368
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:4236
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:3916
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:4636
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:1308
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:4800
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:1624
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3952
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1496
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:452
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:3912
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2348
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1780
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3696
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:4004
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2692
                  • \??\c:\windows\system\explorer.exe
                    c:\windows\system\explorer.exe
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:2548
                    • \??\c:\windows\system\explorer.exe
                      "c:\windows\system\explorer.exe"
                      8⤵
                        PID:1440
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:4428
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1812
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:5028
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1764
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2704
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:2040
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1396
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:4868
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1280
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:3476
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  PID:3208
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1508
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3472
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:532
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:1768
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:5040
                    • \??\c:\windows\system\explorer.exe
                      c:\windows\system\explorer.exe
                      7⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:4512
                      • \??\c:\windows\system\explorer.exe
                        "c:\windows\system\explorer.exe"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:4992
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:1972
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:3976
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:4300
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:5108
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:4228
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:4352
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2552
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:4236
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3440
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:3828
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:560
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1672
                    • \??\c:\windows\system\explorer.exe
                      c:\windows\system\explorer.exe
                      7⤵
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      PID:3928
                      • \??\c:\windows\system\explorer.exe
                        "c:\windows\system\explorer.exe"
                        8⤵
                          PID:3940
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:1608
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:4892
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:3056
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:5012
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:1832
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:2088
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:1324
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:2792
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:3756
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:1516
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:2296
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:5112
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:3636
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                        PID:4644
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:3356
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                          PID:4348
                          • \??\c:\windows\system\explorer.exe
                            c:\windows\system\explorer.exe
                            7⤵
                            • Suspicious use of SetThreadContext
                            • Drops file in Windows directory
                            PID:1500
                            • \??\c:\windows\system\explorer.exe
                              "c:\windows\system\explorer.exe"
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:4540
                      • \??\c:\windows\system\spoolsv.exe
                        c:\windows\system\spoolsv.exe SE
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        PID:2784
                        • \??\c:\windows\system\spoolsv.exe
                          "c:\windows\system\spoolsv.exe"
                          6⤵
                            PID:2316
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Drops file in Windows directory
                          PID:2484
                          • \??\c:\windows\system\spoolsv.exe
                            "c:\windows\system\spoolsv.exe"
                            6⤵
                              PID:2320
                          • \??\c:\windows\system\spoolsv.exe
                            c:\windows\system\spoolsv.exe SE
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            PID:3144
                            • \??\c:\windows\system\spoolsv.exe
                              "c:\windows\system\spoolsv.exe"
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:3500
                              • \??\c:\windows\system\explorer.exe
                                c:\windows\system\explorer.exe
                                7⤵
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:4912
                                • \??\c:\windows\system\explorer.exe
                                  "c:\windows\system\explorer.exe"
                                  8⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:5792
                          • \??\c:\windows\system\spoolsv.exe
                            c:\windows\system\spoolsv.exe SE
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            PID:1784
                            • \??\c:\windows\system\spoolsv.exe
                              "c:\windows\system\spoolsv.exe"
                              6⤵
                                PID:4744
                                • \??\c:\windows\system\explorer.exe
                                  c:\windows\system\explorer.exe
                                  7⤵
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  PID:4288
                                  • \??\c:\windows\system\explorer.exe
                                    "c:\windows\system\explorer.exe"
                                    8⤵
                                      PID:6016
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Drops file in Windows directory
                                PID:2928
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1076
                                  • \??\c:\windows\system\explorer.exe
                                    c:\windows\system\explorer.exe
                                    7⤵
                                      PID:4828
                                • \??\c:\windows\system\spoolsv.exe
                                  c:\windows\system\spoolsv.exe SE
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Drops file in Windows directory
                                  PID:3980
                                  • \??\c:\windows\system\spoolsv.exe
                                    "c:\windows\system\spoolsv.exe"
                                    6⤵
                                      PID:5084
                                      • \??\c:\windows\system\explorer.exe
                                        c:\windows\system\explorer.exe
                                        7⤵
                                        • Drops file in Windows directory
                                        • System Location Discovery: System Language Discovery
                                        PID:1172
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    PID:1668
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                        PID:4948
                                        • \??\c:\windows\system\explorer.exe
                                          c:\windows\system\explorer.exe
                                          7⤵
                                            PID:4340
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Suspicious use of SetThreadContext
                                        • Drops file in Windows directory
                                        PID:1028
                                        • \??\c:\windows\system\spoolsv.exe
                                          "c:\windows\system\spoolsv.exe"
                                          6⤵
                                            PID:3196
                                            • \??\c:\windows\system\explorer.exe
                                              c:\windows\system\explorer.exe
                                              7⤵
                                              • Drops file in Windows directory
                                              PID:4872
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Suspicious use of SetThreadContext
                                          • Drops file in Windows directory
                                          • System Location Discovery: System Language Discovery
                                          PID:3236
                                          • \??\c:\windows\system\spoolsv.exe
                                            "c:\windows\system\spoolsv.exe"
                                            6⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:4432
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Suspicious use of SetThreadContext
                                          PID:2408
                                          • \??\c:\windows\system\spoolsv.exe
                                            "c:\windows\system\spoolsv.exe"
                                            6⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:5264
                                            • \??\c:\windows\system\explorer.exe
                                              c:\windows\system\explorer.exe
                                              7⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5300
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Suspicious use of SetThreadContext
                                          • Drops file in Windows directory
                                          PID:4960
                                          • \??\c:\windows\system\spoolsv.exe
                                            "c:\windows\system\spoolsv.exe"
                                            6⤵
                                              PID:5708
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Suspicious use of SetThreadContext
                                            • Drops file in Windows directory
                                            PID:4456
                                            • \??\c:\windows\system\spoolsv.exe
                                              "c:\windows\system\spoolsv.exe"
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5888
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Suspicious use of SetThreadContext
                                            PID:4956
                                            • \??\c:\windows\system\spoolsv.exe
                                              "c:\windows\system\spoolsv.exe"
                                              6⤵
                                                PID:5976
                                            • \??\c:\windows\system\spoolsv.exe
                                              c:\windows\system\spoolsv.exe SE
                                              5⤵
                                              • Drops file in Windows directory
                                              PID:1680
                                              • \??\c:\windows\system\spoolsv.exe
                                                "c:\windows\system\spoolsv.exe"
                                                6⤵
                                                  PID:5424
                                                  • \??\c:\windows\system\explorer.exe
                                                    c:\windows\system\explorer.exe
                                                    7⤵
                                                      PID:5440
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Drops file in Windows directory
                                                  PID:1828
                                                  • \??\c:\windows\system\spoolsv.exe
                                                    "c:\windows\system\spoolsv.exe"
                                                    6⤵
                                                      PID:5472
                                                  • \??\c:\windows\system\spoolsv.exe
                                                    c:\windows\system\spoolsv.exe SE
                                                    5⤵
                                                    • Drops file in Windows directory
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3968
                                                    • \??\c:\windows\system\spoolsv.exe
                                                      "c:\windows\system\spoolsv.exe"
                                                      6⤵
                                                        PID:5548
                                                    • \??\c:\windows\system\spoolsv.exe
                                                      c:\windows\system\spoolsv.exe SE
                                                      5⤵
                                                      • Drops file in Windows directory
                                                      PID:4620
                                                      • \??\c:\windows\system\spoolsv.exe
                                                        "c:\windows\system\spoolsv.exe"
                                                        6⤵
                                                          PID:2272
                                                      • \??\c:\windows\system\spoolsv.exe
                                                        c:\windows\system\spoolsv.exe SE
                                                        5⤵
                                                          PID:4944
                                                          • \??\c:\windows\system\spoolsv.exe
                                                            "c:\windows\system\spoolsv.exe"
                                                            6⤵
                                                              PID:6040
                                                          • \??\c:\windows\system\spoolsv.exe
                                                            c:\windows\system\spoolsv.exe SE
                                                            5⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4392
                                                            • \??\c:\windows\system\spoolsv.exe
                                                              "c:\windows\system\spoolsv.exe"
                                                              6⤵
                                                                PID:6096
                                                            • \??\c:\windows\system\spoolsv.exe
                                                              c:\windows\system\spoolsv.exe SE
                                                              5⤵
                                                              • Drops file in Windows directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2368
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                "c:\windows\system\spoolsv.exe"
                                                                6⤵
                                                                  PID:712
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                PID:4532
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4104
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2160
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                PID:3096
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                PID:3064
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:940
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                PID:2312
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4076
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                PID:3804
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                PID:4220
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                PID:2196
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1928
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                PID:4100
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3644
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:5648
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                  PID:4444
                                                                • \??\c:\windows\system\spoolsv.exe
                                                                  c:\windows\system\spoolsv.exe SE
                                                                  5⤵
                                                                    PID:5920
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                                                            1⤵
                                                              PID:3184

                                                            Network

                                                            • flag-us
                                                              DNS
                                                              8.8.8.8.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              8.8.8.8.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                              8.8.8.8.in-addr.arpa
                                                              IN PTR
                                                              dnsgoogle
                                                            • flag-us
                                                              DNS
                                                              13.86.106.20.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              13.86.106.20.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              172.214.232.199.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              172.214.232.199.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              74.32.126.40.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              74.32.126.40.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              95.221.229.192.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              95.221.229.192.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              97.17.167.52.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              97.17.167.52.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              58.55.71.13.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              58.55.71.13.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              50.23.12.20.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              50.23.12.20.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              171.39.242.20.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              171.39.242.20.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              172.210.232.199.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              172.210.232.199.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              22.236.111.52.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              22.236.111.52.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            No results found
                                                            • 8.8.8.8:53
                                                              8.8.8.8.in-addr.arpa
                                                              dns
                                                              66 B
                                                              90 B
                                                              1
                                                              1

                                                              DNS Request

                                                              8.8.8.8.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              13.86.106.20.in-addr.arpa
                                                              dns
                                                              71 B
                                                              157 B
                                                              1
                                                              1

                                                              DNS Request

                                                              13.86.106.20.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              172.214.232.199.in-addr.arpa
                                                              dns
                                                              74 B
                                                              128 B
                                                              1
                                                              1

                                                              DNS Request

                                                              172.214.232.199.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              74.32.126.40.in-addr.arpa
                                                              dns
                                                              71 B
                                                              157 B
                                                              1
                                                              1

                                                              DNS Request

                                                              74.32.126.40.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              95.221.229.192.in-addr.arpa
                                                              dns
                                                              73 B
                                                              144 B
                                                              1
                                                              1

                                                              DNS Request

                                                              95.221.229.192.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              97.17.167.52.in-addr.arpa
                                                              dns
                                                              71 B
                                                              145 B
                                                              1
                                                              1

                                                              DNS Request

                                                              97.17.167.52.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              58.55.71.13.in-addr.arpa
                                                              dns
                                                              70 B
                                                              144 B
                                                              1
                                                              1

                                                              DNS Request

                                                              58.55.71.13.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              50.23.12.20.in-addr.arpa
                                                              dns
                                                              70 B
                                                              156 B
                                                              1
                                                              1

                                                              DNS Request

                                                              50.23.12.20.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              171.39.242.20.in-addr.arpa
                                                              dns
                                                              72 B
                                                              158 B
                                                              1
                                                              1

                                                              DNS Request

                                                              171.39.242.20.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              172.210.232.199.in-addr.arpa
                                                              dns
                                                              74 B
                                                              128 B
                                                              1
                                                              1

                                                              DNS Request

                                                              172.210.232.199.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              22.236.111.52.in-addr.arpa
                                                              dns
                                                              72 B
                                                              158 B
                                                              1
                                                              1

                                                              DNS Request

                                                              22.236.111.52.in-addr.arpa

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Windows\Parameters.ini

                                                              Filesize

                                                              74B

                                                              MD5

                                                              6687785d6a31cdf9a5f80acb3abc459b

                                                              SHA1

                                                              1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

                                                              SHA256

                                                              3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

                                                              SHA512

                                                              5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

                                                            • C:\Windows\System\explorer.exe

                                                              Filesize

                                                              2.2MB

                                                              MD5

                                                              eb3c3264fbf75f3cbb2485113ceea789

                                                              SHA1

                                                              f18b0741266742810aab889afcf85b766a08212b

                                                              SHA256

                                                              47a72091bec3e1085d881b007d3e8046b0024648672f907ae6b073f79bb121b3

                                                              SHA512

                                                              a1548eaef7e01d0359f43232b57248549694dccd06dd25fc4a5a008d48bde1567adfe29a29c5d26546d3e0ee69300fd00b3a86cd5ef31b694aac5c1bef74e9ed

                                                            • C:\Windows\System\spoolsv.exe

                                                              Filesize

                                                              2.2MB

                                                              MD5

                                                              0432d371b9c2f5d871b4dc6e333e24c1

                                                              SHA1

                                                              42de7d319e10b8c9f1f97499d79f7915556328ef

                                                              SHA256

                                                              2c05c1e8a15d3d1858a10fdfaf045ae66c69d1e7088f86624bcf69d555ce8172

                                                              SHA512

                                                              c9bcb3edc519760a174134a06d9f71fbbcda9db4c45cc24dfb481ff87e9b4597418bad4a574faaae705e23b899fa00118e122298732b81e126f1828a47ae2d0b

                                                            • memory/452-2474-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/532-2750-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/560-2331-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/648-855-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/648-4407-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/648-105-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1032-3803-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1076-4544-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1280-1860-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/1308-1290-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/1396-1794-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/1420-89-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1420-88-0x0000000000440000-0x0000000000509000-memory.dmp

                                                              Filesize

                                                              804KB

                                                            • memory/1420-51-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1420-50-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1440-4403-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1496-1356-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/1508-2702-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1516-3119-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1516-3116-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1608-2340-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/1624-1291-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/1672-3073-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/1768-2061-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/1780-1523-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/1972-2138-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/2040-2673-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/2272-5833-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/2316-3276-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/2320-3283-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/2320-3288-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/2348-2484-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/2552-2304-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/2604-1027-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/2604-2334-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/2628-53-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/2628-46-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/2628-0-0x0000000002590000-0x0000000002591000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/2628-47-0x0000000002590000-0x0000000002591000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/2692-2773-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/2692-2568-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/2704-1793-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/2792-3107-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3196-5512-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3196-5343-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3208-1932-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/3440-2316-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/3472-2060-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/3476-2693-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3696-2497-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3696-2493-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3828-2920-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3912-1427-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/3916-1198-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/3940-5205-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3952-2465-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3952-2460-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3976-2872-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/3996-2333-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4004-1524-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/4228-2303-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/4236-2342-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4236-2346-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4236-2901-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4300-2200-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/4348-3351-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4348-3268-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4352-2891-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4368-1088-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/4368-2344-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/4428-1604-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/4432-5454-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4432-5450-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4540-5353-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4636-2441-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4644-3138-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4744-4071-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4776-106-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/4776-100-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/4800-2452-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4868-2682-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4892-3082-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4948-5196-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/4992-4754-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5012-3090-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5028-1667-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/5040-2820-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5076-2535-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5076-2322-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5084-4873-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5104-2323-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/5104-966-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/5108-2883-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5264-5730-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5264-5546-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5424-6003-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5424-5792-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5472-5803-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5708-5640-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5792-5650-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5888-5657-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5976-5672-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/5976-5668-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/6016-5912-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/6040-5920-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            • memory/6096-5930-0x0000000000400000-0x000000000043E000-memory.dmp

                                                              Filesize

                                                              248KB

                                                            We care about your privacy.

                                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.