ffec80e33ca050c78c5af49a23b4943b68872b9bef75bbe75f4bf277fddec3f7

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe
Size

80KB
MD5

43dcf05478833250d15ba492cf1ca381
SHA1

51a7df050834c19d7814a128d1b78ee133ce3e7f
SHA256

ffec80e33ca050c78c5af49a23b4943b68872b9bef75bbe75f4bf277fddec3f7
SHA512

14c81606af972ea7187efdecc3bc8dd1e299e41245f95134c3f522c6569b7f0292e862c986e956377db157f554c8943df82870fb3435aa7eddab186f07d38cae
SSDEEP

1536:C0FBV3gTCVEmMOet6HQHYnu3PpQ3aRhdsRxO4z:CWVe8EhO24nGPS3ajL4z

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2460	userinit.exe
2128	system.exe
2696	system.exe
2952	system.exe
2708	system.exe
2564	system.exe
2168	system.exe
2360	system.exe
1964	system.exe
1184	system.exe
1448	system.exe
2908	system.exe
2084	system.exe
2372	system.exe
408	system.exe
328	system.exe
1720	system.exe
924	system.exe
1864	system.exe
1572	system.exe
560	system.exe
2448	system.exe
1828	system.exe
2184	system.exe
2468	system.exe
784	system.exe
2672	system.exe
2752	system.exe
2844	system.exe
2712	system.exe
2608	system.exe
2832	system.exe
2168	system.exe
2368	system.exe
2104	system.exe
1964	system.exe
1240	system.exe
1624	system.exe
2932	system.exe
2400	system.exe
2248	system.exe
1144	system.exe
1008	system.exe
328	system.exe
1720	system.exe
2216	system.exe
1864	system.exe
2992	system.exe
2388	system.exe
552	system.exe
2200	system.exe
2624	system.exe
2900	system.exe
1604	system.exe
2804	system.exe
2740	system.exe
2584	system.exe
2744	system.exe
2576	system.exe
2000	system.exe
1508	system.exe
2852	system.exe
2364	system.exe
2724	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe
2460	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
784	43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe
2460	userinit.exe
2460	userinit.exe
2128	system.exe
2460	userinit.exe
2696	system.exe
2460	userinit.exe
2952	system.exe
2460	userinit.exe
2708	system.exe
2460	userinit.exe
2564	system.exe
2460	userinit.exe
2168	system.exe
2460	userinit.exe
2360	system.exe
2460	userinit.exe
1964	system.exe
2460	userinit.exe
1184	system.exe
2460	userinit.exe
1448	system.exe
2460	userinit.exe
2908	system.exe
2460	userinit.exe
2084	system.exe
2460	userinit.exe
2372	system.exe
2460	userinit.exe
408	system.exe
2460	userinit.exe
328	system.exe
2460	userinit.exe
1720	system.exe
2460	userinit.exe
924	system.exe
2460	userinit.exe
1864	system.exe
2460	userinit.exe
1572	system.exe
2460	userinit.exe
560	system.exe
2460	userinit.exe
2448	system.exe
2460	userinit.exe
1828	system.exe
2460	userinit.exe
2184	system.exe
2460	userinit.exe
2468	system.exe
2460	userinit.exe
784	system.exe
2460	userinit.exe
2672	system.exe
2460	userinit.exe
2752	system.exe
2460	userinit.exe
2844	system.exe
2460	userinit.exe
2712	system.exe
2460	userinit.exe
2608	system.exe
2460	userinit.exe
2832	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2460	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
784	43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe
784	43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe
2460	userinit.exe
2460	userinit.exe
2128	system.exe
2128	system.exe
2696	system.exe
2696	system.exe
2952	system.exe
2952	system.exe
2708	system.exe
2708	system.exe
2564	system.exe
2564	system.exe
2168	system.exe
2168	system.exe
2360	system.exe
2360	system.exe
1964	system.exe
1964	system.exe
1184	system.exe
1184	system.exe
1448	system.exe
1448	system.exe
2908	system.exe
2908	system.exe
2084	system.exe
2084	system.exe
2372	system.exe
2372	system.exe
408	system.exe
408	system.exe
328	system.exe
328	system.exe
1720	system.exe
1720	system.exe
924	system.exe
924	system.exe
1864	system.exe
1864	system.exe
1572	system.exe
1572	system.exe
560	system.exe
560	system.exe
2448	system.exe
2448	system.exe
1828	system.exe
1828	system.exe
2184	system.exe
2184	system.exe
2468	system.exe
2468	system.exe
784	system.exe
784	system.exe
2672	system.exe
2672	system.exe
2752	system.exe
2752	system.exe
2844	system.exe
2844	system.exe
2712	system.exe
2712	system.exe
2608	system.exe
2608	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2460	784	43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe	31
PID 784 wrote to memory of 2460	784	43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe	31
PID 784 wrote to memory of 2460	784	43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe	31
PID 784 wrote to memory of 2460	784	43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2128	2460	userinit.exe	32
PID 2460 wrote to memory of 2128	2460	userinit.exe	32
PID 2460 wrote to memory of 2128	2460	userinit.exe	32
PID 2460 wrote to memory of 2128	2460	userinit.exe	32
PID 2460 wrote to memory of 2696	2460	userinit.exe	33
PID 2460 wrote to memory of 2696	2460	userinit.exe	33
PID 2460 wrote to memory of 2696	2460	userinit.exe	33
PID 2460 wrote to memory of 2696	2460	userinit.exe	33
PID 2460 wrote to memory of 2952	2460	userinit.exe	34
PID 2460 wrote to memory of 2952	2460	userinit.exe	34
PID 2460 wrote to memory of 2952	2460	userinit.exe	34
PID 2460 wrote to memory of 2952	2460	userinit.exe	34
PID 2460 wrote to memory of 2708	2460	userinit.exe	35
PID 2460 wrote to memory of 2708	2460	userinit.exe	35
PID 2460 wrote to memory of 2708	2460	userinit.exe	35
PID 2460 wrote to memory of 2708	2460	userinit.exe	35
PID 2460 wrote to memory of 2564	2460	userinit.exe	36
PID 2460 wrote to memory of 2564	2460	userinit.exe	36
PID 2460 wrote to memory of 2564	2460	userinit.exe	36
PID 2460 wrote to memory of 2564	2460	userinit.exe	36
PID 2460 wrote to memory of 2168	2460	userinit.exe	37
PID 2460 wrote to memory of 2168	2460	userinit.exe	37
PID 2460 wrote to memory of 2168	2460	userinit.exe	37
PID 2460 wrote to memory of 2168	2460	userinit.exe	37
PID 2460 wrote to memory of 2360	2460	userinit.exe	38
PID 2460 wrote to memory of 2360	2460	userinit.exe	38
PID 2460 wrote to memory of 2360	2460	userinit.exe	38
PID 2460 wrote to memory of 2360	2460	userinit.exe	38
PID 2460 wrote to memory of 1964	2460	userinit.exe	39
PID 2460 wrote to memory of 1964	2460	userinit.exe	39
PID 2460 wrote to memory of 1964	2460	userinit.exe	39
PID 2460 wrote to memory of 1964	2460	userinit.exe	39
PID 2460 wrote to memory of 1184	2460	userinit.exe	40
PID 2460 wrote to memory of 1184	2460	userinit.exe	40
PID 2460 wrote to memory of 1184	2460	userinit.exe	40
PID 2460 wrote to memory of 1184	2460	userinit.exe	40
PID 2460 wrote to memory of 1448	2460	userinit.exe	41
PID 2460 wrote to memory of 1448	2460	userinit.exe	41
PID 2460 wrote to memory of 1448	2460	userinit.exe	41
PID 2460 wrote to memory of 1448	2460	userinit.exe	41
PID 2460 wrote to memory of 2908	2460	userinit.exe	42
PID 2460 wrote to memory of 2908	2460	userinit.exe	42
PID 2460 wrote to memory of 2908	2460	userinit.exe	42
PID 2460 wrote to memory of 2908	2460	userinit.exe	42
PID 2460 wrote to memory of 2084	2460	userinit.exe	43
PID 2460 wrote to memory of 2084	2460	userinit.exe	43
PID 2460 wrote to memory of 2084	2460	userinit.exe	43
PID 2460 wrote to memory of 2084	2460	userinit.exe	43
PID 2460 wrote to memory of 2372	2460	userinit.exe	44
PID 2460 wrote to memory of 2372	2460	userinit.exe	44
PID 2460 wrote to memory of 2372	2460	userinit.exe	44
PID 2460 wrote to memory of 2372	2460	userinit.exe	44
PID 2460 wrote to memory of 408	2460	userinit.exe	45
PID 2460 wrote to memory of 408	2460	userinit.exe	45
PID 2460 wrote to memory of 408	2460	userinit.exe	45
PID 2460 wrote to memory of 408	2460	userinit.exe	45
PID 2460 wrote to memory of 328	2460	userinit.exe	46
PID 2460 wrote to memory of 328	2460	userinit.exe	46
PID 2460 wrote to memory of 328	2460	userinit.exe	46
PID 2460 wrote to memory of 328	2460	userinit.exe	46

C:\Users\Admin\AppData\Local\Temp\43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43dcf05478833250d15ba492cf1ca381_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
80KB

MD5
43dcf05478833250d15ba492cf1ca381

SHA1
51a7df050834c19d7814a128d1b78ee133ce3e7f

SHA256
ffec80e33ca050c78c5af49a23b4943b68872b9bef75bbe75f4bf277fddec3f7

SHA512
14c81606af972ea7187efdecc3bc8dd1e299e41245f95134c3f522c6569b7f0292e862c986e956377db157f554c8943df82870fb3435aa7eddab186f07d38cae

Download Submit
memory/328-212-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/328-208-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/408-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/560-273-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/560-271-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/784-13-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/784-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/784-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/784-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/784-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1008-499-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1008-501-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1144-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1184-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1184-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1240-435-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1448-153-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1448-148-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-254-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-258-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1624-447-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1720-521-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1720-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1828-294-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1864-246-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1864-543-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1964-422-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1964-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2084-178-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2084-174-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2128-34-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2128-33-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2128-38-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-391-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-395-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-100-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-102-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2184-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2184-300-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2216-529-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2360-115-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2360-110-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-189-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-564-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2400-469-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2448-285-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2448-281-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2460-309-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-433-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-267-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2460-280-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-231-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-293-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-562-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-161-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-563-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-15-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2460-310-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-147-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2460-320-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-123-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-321-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-339-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-340-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-550-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-359-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-549-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-373-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-372-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-380-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-379-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-542-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-390-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-389-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2460-400-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-401-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-411-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-410-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-421-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-540-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-420-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-434-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-73-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-269-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-442-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-443-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-527-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-454-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-32-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-455-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-464-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-465-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-58-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/2460-475-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-474-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-484-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-485-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-528-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-518-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-498-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-497-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-520-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-507-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2460-506-0x0000000003B40000-0x0000000003B7D000-memory.dmp

Filesize
244KB

Download
memory/2468-311-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2564-86-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2564-85-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2564-90-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2696-50-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2696-46-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2712-360-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2740-640-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2744-660-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2844-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-162-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-166-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2932-456-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2952-65-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2952-59-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2952-60-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download