8545ad6343852321d4b27b5525a43bfe2c338a5a99ca0cb95dcb5a2f224a40b0

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe
Size

404KB
MD5

3f329631c989465b4ebbfd388f318c41
SHA1

c89c6f13ebe029c68b781788a09d14b6493f14a5
SHA256

8545ad6343852321d4b27b5525a43bfe2c338a5a99ca0cb95dcb5a2f224a40b0
SHA512

6e07bfad5ba0a5710566a26c842c95ed7a509894f22d307420847be6700d491e1d18569085f805c0cea8847807153d9cc89c20d2ad8af62cd3b85c9db33f0d78
SSDEEP

1536:+5unRtH3imqV74A6J6SQEh+/sLbaRhdsRxOV:YQRt5qV7WYSQEhWsLbajLV

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2020	userinit.exe
2964	system.exe
2980	system.exe
2740	system.exe
2768	system.exe
768	system.exe
740	system.exe
1960	system.exe
2920	system.exe
2984	system.exe
2928	system.exe
2212	system.exe
1028	system.exe
2196	system.exe
1972	system.exe
2608	system.exe
2672	system.exe
2016	system.exe
2368	system.exe
980	system.exe
1968	system.exe
1692	system.exe
868	system.exe
1584	system.exe
1364	system.exe
2108	system.exe
2856	system.exe
2828	system.exe
2968	system.exe
2760	system.exe
1604	system.exe
1228	system.exe
2176	system.exe
2888	system.exe
372	system.exe
2092	system.exe
1628	system.exe
1868	system.exe
2212	system.exe
572	system.exe
2452	system.exe
108	system.exe
736	system.exe
1500	system.exe
1928	system.exe
1776	system.exe
2324	system.exe
1664	system.exe
2260	system.exe
2120	system.exe
1156	system.exe
1724	system.exe
2172	system.exe
2308	system.exe
2892	system.exe
2808	system.exe
3036	system.exe
2828	system.exe
2708	system.exe
2820	system.exe
884	system.exe
1124	system.exe
2128	system.exe
3048	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2808	Regsvr32.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe
2020	userinit.exe
2020	userinit.exe
2964	system.exe
2020	userinit.exe
2980	system.exe
2020	userinit.exe
2740	system.exe
2020	userinit.exe
2768	system.exe
2020	userinit.exe
768	system.exe
2020	userinit.exe
740	system.exe
2020	userinit.exe
1960	system.exe
2020	userinit.exe
2920	system.exe
2020	userinit.exe
2984	system.exe
2020	userinit.exe
2928	system.exe
2020	userinit.exe
2212	system.exe
2020	userinit.exe
1028	system.exe
2020	userinit.exe
2196	system.exe
2020	userinit.exe
1972	system.exe
2020	userinit.exe
2608	system.exe
2020	userinit.exe
2672	system.exe
2020	userinit.exe
2016	system.exe
2020	userinit.exe
2368	system.exe
2020	userinit.exe
980	system.exe
2020	userinit.exe
1968	system.exe
2020	userinit.exe
1692	system.exe
2020	userinit.exe
868	system.exe
2020	userinit.exe
1584	system.exe
2020	userinit.exe
1364	system.exe
2020	userinit.exe
2108	system.exe
2020	userinit.exe
2856	system.exe
2020	userinit.exe
2828	system.exe
2020	userinit.exe
2968	system.exe
2020	userinit.exe
2760	system.exe
2020	userinit.exe
1604	system.exe
2020	userinit.exe
1228	system.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2524	3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe
2524	3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe
2020	userinit.exe
2020	userinit.exe
2964	system.exe
2964	system.exe
2980	system.exe
2980	system.exe
2740	system.exe
2740	system.exe
2768	system.exe
2768	system.exe
768	system.exe
768	system.exe
740	system.exe
740	system.exe
1960	system.exe
1960	system.exe
2920	system.exe
2920	system.exe
2984	system.exe
2984	system.exe
2928	system.exe
2928	system.exe
2212	system.exe
2212	system.exe
1028	system.exe
1028	system.exe
2196	system.exe
2196	system.exe
1972	system.exe
1972	system.exe
2608	system.exe
2608	system.exe
2672	system.exe
2672	system.exe
2016	system.exe
2016	system.exe
2368	system.exe
2368	system.exe
980	system.exe
980	system.exe
1968	system.exe
1968	system.exe
1692	system.exe
1692	system.exe
868	system.exe
868	system.exe
1584	system.exe
1584	system.exe
1364	system.exe
1364	system.exe
2108	system.exe
2108	system.exe
2856	system.exe
2856	system.exe
2828	system.exe
2828	system.exe
2968	system.exe
2968	system.exe
2760	system.exe
2760	system.exe
1604	system.exe
1604	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2020	2524	3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2020	2524	3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2020	2524	3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2020	2524	3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2808	2020	userinit.exe	31
PID 2020 wrote to memory of 2808	2020	userinit.exe	31
PID 2020 wrote to memory of 2808	2020	userinit.exe	31
PID 2020 wrote to memory of 2808	2020	userinit.exe	31
PID 2020 wrote to memory of 2808	2020	userinit.exe	31
PID 2020 wrote to memory of 2808	2020	userinit.exe	31
PID 2020 wrote to memory of 2808	2020	userinit.exe	31
PID 2020 wrote to memory of 2964	2020	userinit.exe	32
PID 2020 wrote to memory of 2964	2020	userinit.exe	32
PID 2020 wrote to memory of 2964	2020	userinit.exe	32
PID 2020 wrote to memory of 2964	2020	userinit.exe	32
PID 2020 wrote to memory of 2980	2020	userinit.exe	33
PID 2020 wrote to memory of 2980	2020	userinit.exe	33
PID 2020 wrote to memory of 2980	2020	userinit.exe	33
PID 2020 wrote to memory of 2980	2020	userinit.exe	33
PID 2020 wrote to memory of 2740	2020	userinit.exe	34
PID 2020 wrote to memory of 2740	2020	userinit.exe	34
PID 2020 wrote to memory of 2740	2020	userinit.exe	34
PID 2020 wrote to memory of 2740	2020	userinit.exe	34
PID 2020 wrote to memory of 2768	2020	userinit.exe	35
PID 2020 wrote to memory of 2768	2020	userinit.exe	35
PID 2020 wrote to memory of 2768	2020	userinit.exe	35
PID 2020 wrote to memory of 2768	2020	userinit.exe	35
PID 2020 wrote to memory of 768	2020	userinit.exe	36
PID 2020 wrote to memory of 768	2020	userinit.exe	36
PID 2020 wrote to memory of 768	2020	userinit.exe	36
PID 2020 wrote to memory of 768	2020	userinit.exe	36
PID 2020 wrote to memory of 740	2020	userinit.exe	37
PID 2020 wrote to memory of 740	2020	userinit.exe	37
PID 2020 wrote to memory of 740	2020	userinit.exe	37
PID 2020 wrote to memory of 740	2020	userinit.exe	37
PID 2020 wrote to memory of 1960	2020	userinit.exe	38
PID 2020 wrote to memory of 1960	2020	userinit.exe	38
PID 2020 wrote to memory of 1960	2020	userinit.exe	38
PID 2020 wrote to memory of 1960	2020	userinit.exe	38
PID 2020 wrote to memory of 2920	2020	userinit.exe	39
PID 2020 wrote to memory of 2920	2020	userinit.exe	39
PID 2020 wrote to memory of 2920	2020	userinit.exe	39
PID 2020 wrote to memory of 2920	2020	userinit.exe	39
PID 2020 wrote to memory of 2984	2020	userinit.exe	40
PID 2020 wrote to memory of 2984	2020	userinit.exe	40
PID 2020 wrote to memory of 2984	2020	userinit.exe	40
PID 2020 wrote to memory of 2984	2020	userinit.exe	40
PID 2020 wrote to memory of 2928	2020	userinit.exe	41
PID 2020 wrote to memory of 2928	2020	userinit.exe	41
PID 2020 wrote to memory of 2928	2020	userinit.exe	41
PID 2020 wrote to memory of 2928	2020	userinit.exe	41
PID 2020 wrote to memory of 2212	2020	userinit.exe	42
PID 2020 wrote to memory of 2212	2020	userinit.exe	42
PID 2020 wrote to memory of 2212	2020	userinit.exe	42
PID 2020 wrote to memory of 2212	2020	userinit.exe	42
PID 2020 wrote to memory of 1028	2020	userinit.exe	43
PID 2020 wrote to memory of 1028	2020	userinit.exe	43
PID 2020 wrote to memory of 1028	2020	userinit.exe	43
PID 2020 wrote to memory of 1028	2020	userinit.exe	43
PID 2020 wrote to memory of 2196	2020	userinit.exe	44
PID 2020 wrote to memory of 2196	2020	userinit.exe	44
PID 2020 wrote to memory of 2196	2020	userinit.exe	44
PID 2020 wrote to memory of 2196	2020	userinit.exe	44
PID 2020 wrote to memory of 1972	2020	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f329631c989465b4ebbfd388f318c41_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32 C:\Windows\system32\MSWINSCK.OCX /s
    3⤵
    - Loads dropped DLL
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
19514e83ff7b391e5d6a3876a4aa535b

SHA1
de2c08563550d331049de540ddd931c0e88e30c1

SHA256
f330826e0a60474a6f2cf1095b45fc05845d01845ab5bfb282e10750ec270abf

SHA512
2c8c825f60cceac36027968081f7a9f84ee2260a6559d507855e8fa0629c368737d71c700b5a09c049f2f74443495b435517f54dba3ace0176e80eacfa0cb32b

Download Submit
C:\Windows\userinit.exe

Filesize
404KB

MD5
3f329631c989465b4ebbfd388f318c41

SHA1
c89c6f13ebe029c68b781788a09d14b6493f14a5

SHA256
8545ad6343852321d4b27b5525a43bfe2c338a5a99ca0cb95dcb5a2f224a40b0

SHA512
6e07bfad5ba0a5710566a26c842c95ed7a509894f22d307420847be6700d491e1d18569085f805c0cea8847807153d9cc89c20d2ad8af62cd3b85c9db33f0d78

Download Submit
memory/372-428-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/740-104-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/768-92-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/768-88-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/868-304-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1028-175-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1228-397-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1604-387-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1604-386-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1628-450-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1664-564-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1868-461-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1960-116-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1960-112-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1968-283-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1972-203-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2016-240-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2016-244-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2020-303-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-434-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-532-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-533-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-519-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-518-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-141-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2020-513-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-512-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-170-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-502-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-182-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-184-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-501-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-198-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-197-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-490-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-211-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-210-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-225-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-224-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-488-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-478-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-239-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-238-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-477-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-253-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-252-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-470-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-267-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-266-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-279-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-278-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-469-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-288-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-289-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-301-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-14-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2020-457-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-309-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-310-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-324-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-322-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-330-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-329-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-456-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-341-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-343-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-446-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-444-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-350-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-351-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-361-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-363-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-373-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-372-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-99-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-381-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-384-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-436-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-30-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-393-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-392-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-426-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-406-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-405-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-412-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-413-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2020-15-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2020-427-0x0000000003850000-0x00000000038EA000-memory.dmp

Filesize
616KB

Download
memory/2092-437-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2108-334-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2172-610-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2196-189-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2212-163-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2212-471-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2368-257-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2452-492-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2524-23-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2524-13-0x0000000003870000-0x000000000390A000-memory.dmp

Filesize
616KB

Download
memory/2524-2-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2524-3-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2672-230-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2740-64-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2740-63-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2760-376-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2768-76-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2828-656-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2856-344-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2856-345-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2920-128-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2928-152-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2928-151-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2964-42-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2964-38-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2964-39-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2980-55-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2980-50-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2984-139-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download