d8c4a82e69d87d9e5a2cc5fad5e47854104df2d6989efc6685c348c3128fa061

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe
Size

97KB
MD5

1c0f5afba06355ef242cd0ecc1e880c1
SHA1

6149d9f7cbbeecf65a5a83bb474a8b5ee28efb52
SHA256

d8c4a82e69d87d9e5a2cc5fad5e47854104df2d6989efc6685c348c3128fa061
SHA512

c98fe4f714279452785ffda24956b19e99dc006cf5ba537ff8b125bfb6957765dd9cfac5156d4589220ddb09286985a1260c898683eb6bd7ff8cfa2e6394e3f9
SSDEEP

1536:KC0OMcamTaWf1zwQVgv6I83yDIjU6J8UlrmfvttU5Hn:JnamTa+1zwLv65CWLnJmXjU5H

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2584	userinit.exe
2636	system.exe
2652	system.exe
2628	system.exe
2504	system.exe
2392	system.exe
588	system.exe
1464	system.exe
2832	system.exe
2828	system.exe
1124	system.exe
2404	system.exe
2816	system.exe
1544	system.exe
1984	system.exe
2968	system.exe
2140	system.exe
1988	system.exe
1044	system.exe
948	system.exe
1644	system.exe
1692	system.exe
684	system.exe
2236	system.exe
2212	system.exe
1504	system.exe
1900	system.exe
2964	system.exe
624	system.exe
2664	system.exe
2488	system.exe
1980	system.exe
3044	system.exe
1040	system.exe
360	system.exe
2884	system.exe
2932	system.exe
2788	system.exe
2752	system.exe
1708	system.exe
2868	system.exe
2816	system.exe
1456	system.exe
2060	system.exe
1740	system.exe
1300	system.exe
2140	system.exe
1160	system.exe
2716	system.exe
1512	system.exe
1168	system.exe
1644	system.exe
556	system.exe
1764	system.exe
1440	system.exe
1772	system.exe
2108	system.exe
1628	system.exe
2608	system.exe
2516	system.exe
2492	system.exe
2164	system.exe
2536	system.exe
3040	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe
2584	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe
2584	userinit.exe
2584	userinit.exe
2636	system.exe
2584	userinit.exe
2652	system.exe
2584	userinit.exe
2628	system.exe
2584	userinit.exe
2504	system.exe
2584	userinit.exe
2392	system.exe
2584	userinit.exe
588	system.exe
2584	userinit.exe
1464	system.exe
2584	userinit.exe
2832	system.exe
2584	userinit.exe
2828	system.exe
2584	userinit.exe
1124	system.exe
2584	userinit.exe
2404	system.exe
2584	userinit.exe
2816	system.exe
2584	userinit.exe
1544	system.exe
2584	userinit.exe
1984	system.exe
2584	userinit.exe
2968	system.exe
2584	userinit.exe
2140	system.exe
2584	userinit.exe
1988	system.exe
2584	userinit.exe
1044	system.exe
2584	userinit.exe
948	system.exe
2584	userinit.exe
1644	system.exe
2584	userinit.exe
1692	system.exe
2584	userinit.exe
684	system.exe
2584	userinit.exe
2236	system.exe
2584	userinit.exe
2212	system.exe
2584	userinit.exe
1504	system.exe
2584	userinit.exe
1900	system.exe
2584	userinit.exe
2964	system.exe
2584	userinit.exe
624	system.exe
2584	userinit.exe
2664	system.exe
2584	userinit.exe
2488	system.exe
2584	userinit.exe
1980	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2248	1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe
2248	1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe
2584	userinit.exe
2584	userinit.exe
2636	system.exe
2636	system.exe
2652	system.exe
2652	system.exe
2628	system.exe
2628	system.exe
2504	system.exe
2504	system.exe
2392	system.exe
2392	system.exe
588	system.exe
588	system.exe
1464	system.exe
1464	system.exe
2832	system.exe
2832	system.exe
2828	system.exe
2828	system.exe
1124	system.exe
1124	system.exe
2404	system.exe
2404	system.exe
2816	system.exe
2816	system.exe
1544	system.exe
1544	system.exe
1984	system.exe
1984	system.exe
2968	system.exe
2968	system.exe
2140	system.exe
2140	system.exe
1988	system.exe
1988	system.exe
1044	system.exe
1044	system.exe
948	system.exe
948	system.exe
1644	system.exe
1644	system.exe
1692	system.exe
1692	system.exe
684	system.exe
684	system.exe
2236	system.exe
2236	system.exe
2212	system.exe
2212	system.exe
1504	system.exe
1504	system.exe
1900	system.exe
1900	system.exe
2964	system.exe
2964	system.exe
624	system.exe
624	system.exe
2664	system.exe
2664	system.exe
2488	system.exe
2488	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2584	2248	1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2584	2248	1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2584	2248	1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2584	2248	1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe	28
PID 2584 wrote to memory of 2636	2584	userinit.exe	29
PID 2584 wrote to memory of 2636	2584	userinit.exe	29
PID 2584 wrote to memory of 2636	2584	userinit.exe	29
PID 2584 wrote to memory of 2636	2584	userinit.exe	29
PID 2584 wrote to memory of 2652	2584	userinit.exe	30
PID 2584 wrote to memory of 2652	2584	userinit.exe	30
PID 2584 wrote to memory of 2652	2584	userinit.exe	30
PID 2584 wrote to memory of 2652	2584	userinit.exe	30
PID 2584 wrote to memory of 2628	2584	userinit.exe	31
PID 2584 wrote to memory of 2628	2584	userinit.exe	31
PID 2584 wrote to memory of 2628	2584	userinit.exe	31
PID 2584 wrote to memory of 2628	2584	userinit.exe	31
PID 2584 wrote to memory of 2504	2584	userinit.exe	32
PID 2584 wrote to memory of 2504	2584	userinit.exe	32
PID 2584 wrote to memory of 2504	2584	userinit.exe	32
PID 2584 wrote to memory of 2504	2584	userinit.exe	32
PID 2584 wrote to memory of 2392	2584	userinit.exe	33
PID 2584 wrote to memory of 2392	2584	userinit.exe	33
PID 2584 wrote to memory of 2392	2584	userinit.exe	33
PID 2584 wrote to memory of 2392	2584	userinit.exe	33
PID 2584 wrote to memory of 588	2584	userinit.exe	34
PID 2584 wrote to memory of 588	2584	userinit.exe	34
PID 2584 wrote to memory of 588	2584	userinit.exe	34
PID 2584 wrote to memory of 588	2584	userinit.exe	34
PID 2584 wrote to memory of 1464	2584	userinit.exe	35
PID 2584 wrote to memory of 1464	2584	userinit.exe	35
PID 2584 wrote to memory of 1464	2584	userinit.exe	35
PID 2584 wrote to memory of 1464	2584	userinit.exe	35
PID 2584 wrote to memory of 2832	2584	userinit.exe	36
PID 2584 wrote to memory of 2832	2584	userinit.exe	36
PID 2584 wrote to memory of 2832	2584	userinit.exe	36
PID 2584 wrote to memory of 2832	2584	userinit.exe	36
PID 2584 wrote to memory of 2828	2584	userinit.exe	37
PID 2584 wrote to memory of 2828	2584	userinit.exe	37
PID 2584 wrote to memory of 2828	2584	userinit.exe	37
PID 2584 wrote to memory of 2828	2584	userinit.exe	37
PID 2584 wrote to memory of 1124	2584	userinit.exe	38
PID 2584 wrote to memory of 1124	2584	userinit.exe	38
PID 2584 wrote to memory of 1124	2584	userinit.exe	38
PID 2584 wrote to memory of 1124	2584	userinit.exe	38
PID 2584 wrote to memory of 2404	2584	userinit.exe	39
PID 2584 wrote to memory of 2404	2584	userinit.exe	39
PID 2584 wrote to memory of 2404	2584	userinit.exe	39
PID 2584 wrote to memory of 2404	2584	userinit.exe	39
PID 2584 wrote to memory of 2816	2584	userinit.exe	40
PID 2584 wrote to memory of 2816	2584	userinit.exe	40
PID 2584 wrote to memory of 2816	2584	userinit.exe	40
PID 2584 wrote to memory of 2816	2584	userinit.exe	40
PID 2584 wrote to memory of 1544	2584	userinit.exe	41
PID 2584 wrote to memory of 1544	2584	userinit.exe	41
PID 2584 wrote to memory of 1544	2584	userinit.exe	41
PID 2584 wrote to memory of 1544	2584	userinit.exe	41
PID 2584 wrote to memory of 1984	2584	userinit.exe	42
PID 2584 wrote to memory of 1984	2584	userinit.exe	42
PID 2584 wrote to memory of 1984	2584	userinit.exe	42
PID 2584 wrote to memory of 1984	2584	userinit.exe	42
PID 2584 wrote to memory of 2968	2584	userinit.exe	43
PID 2584 wrote to memory of 2968	2584	userinit.exe	43
PID 2584 wrote to memory of 2968	2584	userinit.exe	43
PID 2584 wrote to memory of 2968	2584	userinit.exe	43

C:\Users\Admin\AppData\Local\Temp\1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c0f5afba06355ef242cd0ecc1e880c1_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
97KB

MD5
1c0f5afba06355ef242cd0ecc1e880c1

SHA1
6149d9f7cbbeecf65a5a83bb474a8b5ee28efb52

SHA256
d8c4a82e69d87d9e5a2cc5fad5e47854104df2d6989efc6685c348c3128fa061

SHA512
c98fe4f714279452785ffda24956b19e99dc006cf5ba537ff8b125bfb6957765dd9cfac5156d4589220ddb09286985a1260c898683eb6bd7ff8cfa2e6394e3f9

Download Submit
memory/360-413-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/556-580-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/624-349-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/684-286-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/948-257-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1044-240-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1124-149-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1160-535-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1168-565-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1440-603-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1544-183-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1708-460-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1708-464-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1740-509-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1772-616-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1900-328-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1900-327-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1980-378-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1984-194-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1984-197-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1988-231-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2108-622-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2140-220-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2212-308-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2236-293-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2236-297-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2248-12-0x0000000000460000-0x00000000004B1000-memory.dmp

Filesize
324KB

Download
memory/2248-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2248-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2248-13-0x0000000000460000-0x00000000004B1000-memory.dmp

Filesize
324KB

Download
memory/2248-20-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2392-86-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2492-661-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2504-68-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2504-74-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2504-69-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2516-649-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2516-652-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2584-356-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-93-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-291-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-252-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-299-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-303-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-238-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2584-313-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-314-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-323-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-193-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-156-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-334-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-15-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2584-335-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-333-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2584-659-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-348-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-346-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-144-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-357-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-31-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-646-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-366-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-368-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-376-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-127-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2584-377-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-387-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-621-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-388-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-610-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-395-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-399-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-410-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-611-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-412-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-420-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-419-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-602-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-426-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2584-431-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-430-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-599-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-440-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-449-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-450-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-595-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2584-459-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-119-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-589-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-82-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-469-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-481-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-564-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-94-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-506-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-106-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-513-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2584-517-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-534-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-292-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-552-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2584-553-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/2608-637-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-60-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-56-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2636-36-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2652-47-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2664-361-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2752-454-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2816-485-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2816-482-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2828-136-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2832-124-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2832-120-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2868-470-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2884-424-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2932-435-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2964-340-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2964-336-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3044-393-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3044-389-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download