b2f311453fb3153464a82d1cb371fef1fd155b23cf9e6c41652b7c113b57763c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe
Size

1.1MB
MD5

0df0bdd5f09012598f0d6fb4c8719820
SHA1

c1b4d4a7e76e6112ca7e5b9b7df8cdde85f7c0ca
SHA256

b2f311453fb3153464a82d1cb371fef1fd155b23cf9e6c41652b7c113b57763c
SHA512

78ac94e9bfabd32bbb96df4c963604cce0722eac41d492a70307a17b0ca20f3da4cc9040b4c48455973aa9838b65075d9bd9a391e78c66faeee41a7f003b6b41
SSDEEP

768:9SyCk0yiLw6K7njb5Vf0XghCF7RlH5sf1zBmQzTGfmgyq/4U:ikViCnoXghCF7PHWf1zwQVgv/F

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
1764	userinit.exe
3040	system.exe
2560	system.exe
2736	system.exe
2220	system.exe
2576	system.exe
500	system.exe
2868	system.exe
1600	system.exe
1968	system.exe
2376	system.exe
2516	system.exe
1544	system.exe
2092	system.exe
2440	system.exe
2256	system.exe
532	system.exe
3032	system.exe
1660	system.exe
3064	system.exe
1988	system.exe
1848	system.exe
1288	system.exe
2240	system.exe
1004	system.exe
1804	system.exe
1624	system.exe
2796	system.exe
2140	system.exe
2676	system.exe
2632	system.exe
2484	system.exe
2736	system.exe
2708	system.exe
1680	system.exe
2212	system.exe
2768	system.exe
2264	system.exe
1656	system.exe
1980	system.exe
1700	system.exe
2320	system.exe
644	system.exe
1776	system.exe
2756	system.exe
488	system.exe
1132	system.exe
2332	system.exe
1660	system.exe
1568	system.exe
1372	system.exe
1080	system.exe
2820	system.exe
3048	system.exe
912	system.exe
1720	system.exe
2536	system.exe
2112	system.exe
2664	system.exe
2588	system.exe
2632	system.exe
2568	system.exe
2520	system.exe
2888	system.exe

Loads dropped DLL 64 IoCs

pid	Process
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe
1764	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe
1764	userinit.exe
1764	userinit.exe
3040	system.exe
1764	userinit.exe
2560	system.exe
1764	userinit.exe
2736	system.exe
1764	userinit.exe
2220	system.exe
1764	userinit.exe
2576	system.exe
1764	userinit.exe
500	system.exe
1764	userinit.exe
2868	system.exe
1764	userinit.exe
1600	system.exe
1764	userinit.exe
1968	system.exe
1764	userinit.exe
2376	system.exe
1764	userinit.exe
2516	system.exe
1764	userinit.exe
1544	system.exe
1764	userinit.exe
2092	system.exe
1764	userinit.exe
2440	system.exe
1764	userinit.exe
2256	system.exe
1764	userinit.exe
532	system.exe
1764	userinit.exe
3032	system.exe
1764	userinit.exe
1660	system.exe
1764	userinit.exe
3064	system.exe
1764	userinit.exe
1988	system.exe
1764	userinit.exe
1848	system.exe
1764	userinit.exe
1288	system.exe
1764	userinit.exe
2240	system.exe
1764	userinit.exe
1004	system.exe
1764	userinit.exe
1804	system.exe
1764	userinit.exe
1624	system.exe
1764	userinit.exe
2796	system.exe
1764	userinit.exe
2140	system.exe
1764	userinit.exe
2676	system.exe
1764	userinit.exe
2632	system.exe
1764	userinit.exe
2484	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1764	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2800	0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe
2800	0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe
1764	userinit.exe
1764	userinit.exe
3040	system.exe
3040	system.exe
2560	system.exe
2560	system.exe
2736	system.exe
2736	system.exe
2220	system.exe
2220	system.exe
2576	system.exe
2576	system.exe
500	system.exe
500	system.exe
2868	system.exe
2868	system.exe
1600	system.exe
1600	system.exe
1968	system.exe
1968	system.exe
2376	system.exe
2376	system.exe
2516	system.exe
2516	system.exe
1544	system.exe
1544	system.exe
2092	system.exe
2092	system.exe
2440	system.exe
2440	system.exe
2256	system.exe
2256	system.exe
532	system.exe
532	system.exe
3032	system.exe
3032	system.exe
1660	system.exe
1660	system.exe
3064	system.exe
3064	system.exe
1988	system.exe
1988	system.exe
1848	system.exe
1848	system.exe
1288	system.exe
1288	system.exe
2240	system.exe
2240	system.exe
1004	system.exe
1004	system.exe
1804	system.exe
1804	system.exe
1624	system.exe
1624	system.exe
2796	system.exe
2796	system.exe
2140	system.exe
2140	system.exe
2676	system.exe
2676	system.exe
2632	system.exe
2632	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 1764	2800	0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe	28
PID 2800 wrote to memory of 1764	2800	0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe	28
PID 2800 wrote to memory of 1764	2800	0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe	28
PID 2800 wrote to memory of 1764	2800	0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe	28
PID 1764 wrote to memory of 3040	1764	userinit.exe	29
PID 1764 wrote to memory of 3040	1764	userinit.exe	29
PID 1764 wrote to memory of 3040	1764	userinit.exe	29
PID 1764 wrote to memory of 3040	1764	userinit.exe	29
PID 1764 wrote to memory of 2560	1764	userinit.exe	30
PID 1764 wrote to memory of 2560	1764	userinit.exe	30
PID 1764 wrote to memory of 2560	1764	userinit.exe	30
PID 1764 wrote to memory of 2560	1764	userinit.exe	30
PID 1764 wrote to memory of 2736	1764	userinit.exe	31
PID 1764 wrote to memory of 2736	1764	userinit.exe	31
PID 1764 wrote to memory of 2736	1764	userinit.exe	31
PID 1764 wrote to memory of 2736	1764	userinit.exe	31
PID 1764 wrote to memory of 2220	1764	userinit.exe	32
PID 1764 wrote to memory of 2220	1764	userinit.exe	32
PID 1764 wrote to memory of 2220	1764	userinit.exe	32
PID 1764 wrote to memory of 2220	1764	userinit.exe	32
PID 1764 wrote to memory of 2576	1764	userinit.exe	33
PID 1764 wrote to memory of 2576	1764	userinit.exe	33
PID 1764 wrote to memory of 2576	1764	userinit.exe	33
PID 1764 wrote to memory of 2576	1764	userinit.exe	33
PID 1764 wrote to memory of 500	1764	userinit.exe	34
PID 1764 wrote to memory of 500	1764	userinit.exe	34
PID 1764 wrote to memory of 500	1764	userinit.exe	34
PID 1764 wrote to memory of 500	1764	userinit.exe	34
PID 1764 wrote to memory of 2868	1764	userinit.exe	35
PID 1764 wrote to memory of 2868	1764	userinit.exe	35
PID 1764 wrote to memory of 2868	1764	userinit.exe	35
PID 1764 wrote to memory of 2868	1764	userinit.exe	35
PID 1764 wrote to memory of 1600	1764	userinit.exe	36
PID 1764 wrote to memory of 1600	1764	userinit.exe	36
PID 1764 wrote to memory of 1600	1764	userinit.exe	36
PID 1764 wrote to memory of 1600	1764	userinit.exe	36
PID 1764 wrote to memory of 1968	1764	userinit.exe	37
PID 1764 wrote to memory of 1968	1764	userinit.exe	37
PID 1764 wrote to memory of 1968	1764	userinit.exe	37
PID 1764 wrote to memory of 1968	1764	userinit.exe	37
PID 1764 wrote to memory of 2376	1764	userinit.exe	38
PID 1764 wrote to memory of 2376	1764	userinit.exe	38
PID 1764 wrote to memory of 2376	1764	userinit.exe	38
PID 1764 wrote to memory of 2376	1764	userinit.exe	38
PID 1764 wrote to memory of 2516	1764	userinit.exe	39
PID 1764 wrote to memory of 2516	1764	userinit.exe	39
PID 1764 wrote to memory of 2516	1764	userinit.exe	39
PID 1764 wrote to memory of 2516	1764	userinit.exe	39
PID 1764 wrote to memory of 1544	1764	userinit.exe	40
PID 1764 wrote to memory of 1544	1764	userinit.exe	40
PID 1764 wrote to memory of 1544	1764	userinit.exe	40
PID 1764 wrote to memory of 1544	1764	userinit.exe	40
PID 1764 wrote to memory of 2092	1764	userinit.exe	41
PID 1764 wrote to memory of 2092	1764	userinit.exe	41
PID 1764 wrote to memory of 2092	1764	userinit.exe	41
PID 1764 wrote to memory of 2092	1764	userinit.exe	41
PID 1764 wrote to memory of 2440	1764	userinit.exe	42
PID 1764 wrote to memory of 2440	1764	userinit.exe	42
PID 1764 wrote to memory of 2440	1764	userinit.exe	42
PID 1764 wrote to memory of 2440	1764	userinit.exe	42
PID 1764 wrote to memory of 2256	1764	userinit.exe	43
PID 1764 wrote to memory of 2256	1764	userinit.exe	43
PID 1764 wrote to memory of 2256	1764	userinit.exe	43
PID 1764 wrote to memory of 2256	1764	userinit.exe	43

C:\Users\Admin\AppData\Local\Temp\0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0df0bdd5f09012598f0d6fb4c8719820_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
1.1MB

MD5
0df0bdd5f09012598f0d6fb4c8719820

SHA1
c1b4d4a7e76e6112ca7e5b9b7df8cdde85f7c0ca

SHA256
b2f311453fb3153464a82d1cb371fef1fd155b23cf9e6c41652b7c113b57763c

SHA512
78ac94e9bfabd32bbb96df4c963604cce0722eac41d492a70307a17b0ca20f3da4cc9040b4c48455973aa9838b65075d9bd9a391e78c66faeee41a7f003b6b41

Download Submit
memory/488-517-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/488-515-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/500-103-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/644-485-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/912-610-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1004-303-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1132-528-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1288-286-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1544-172-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1568-558-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1600-127-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1600-122-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1656-442-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1660-240-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1700-463-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1720-620-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1764-504-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-428-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-629-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1764-86-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-616-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-618-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-16-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1764-607-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-60-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-129-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1764-608-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-596-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-589-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-61-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-588-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-576-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-575-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-236-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1764-568-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-570-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-259-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-557-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-271-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-270-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-281-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-283-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-46-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-291-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-15-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1764-47-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-302-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-310-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-311-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-323-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-324-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-330-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1764-331-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-554-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-343-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-549-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-351-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-360-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-361-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-370-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-381-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-548-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-534-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-389-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-398-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-399-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-535-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-409-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-418-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-533-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1764-429-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-525-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-527-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-440-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-448-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-449-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-512-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-514-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-462-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-461-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-472-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-506-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-471-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-482-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-34-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-484-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-491-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1764-492-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/1776-496-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1848-272-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1968-139-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1980-453-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2092-183-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2140-344-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2212-411-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2220-77-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2220-78-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2220-73-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2240-295-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2256-206-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2264-433-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2320-474-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2376-150-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2440-195-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2516-161-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2560-48-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2560-52-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2576-91-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2576-87-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2736-384-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2736-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2736-383-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2796-336-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2800-14-0x0000000000350000-0x00000000003AA000-memory.dmp

Filesize
360KB

Download
memory/2800-13-0x0000000000350000-0x00000000003AA000-memory.dmp

Filesize
360KB

Download
memory/2800-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2800-22-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2800-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2820-590-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3040-38-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-251-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download