modiloader | a07475d774cadd20d19fd6a66f7f825e020637b2cb808836428299dad9dcb2c7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe
Size

827KB
MD5

455fe207373aaaab038130ca9cf33b04
SHA1

6403c49c66d5c1214b1c012f7bc1bf70150c201f
SHA256

a07475d774cadd20d19fd6a66f7f825e020637b2cb808836428299dad9dcb2c7
SHA512

9626a91b85f50a5b5af23ddefd197f5d58429dca7b2b2212d5214110e29e172f9497cd786aa060bb75fe08a82aebba1771f14d7915187397a3faa2db7619706e
SSDEEP

24576:+ahFTN8/TJSAK3Stp2Utx8aYc+J2QEsZIFx:TFoTJ10Stp2Uk5cIEs6z

Score

10^/10

modiloader discovery evasion persistence themida trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 22 IoCs

resource	yara_rule
behavioral2/memory/1388-6-0x0000000000401000-0x000000000043F000-memory.dmp	modiloader_stage2
behavioral2/memory/1388-8-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/1388-7-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/1388-9-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/1388-10-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/1388-21-0x0000000000401000-0x000000000043F000-memory.dmp	modiloader_stage2
behavioral2/memory/1388-20-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/3472-36-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-37-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-38-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-41-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-44-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-47-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-50-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-53-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-56-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-59-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-62-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-65-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-68-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-71-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2
behavioral2/memory/5040-74-0x0000000000400000-0x000000000051B000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	videos.exe

Executes dropped EXE 3 IoCs

pid	Process
1388	videos.exe
5040	mstwain32.exe
3472	videos.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	videos.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	mstwain32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	videos.exe

Loads dropped DLL 4 IoCs

pid	Process
5040	mstwain32.exe
5040	mstwain32.exe
5040	mstwain32.exe
5040	mstwain32.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000c000000023b7f-3.dat	themida
behavioral2/memory/1388-4-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/1388-8-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/1388-7-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/1388-9-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/1388-10-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/3472-24-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/1388-20-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/3472-36-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-37-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-38-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-41-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-44-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-47-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-50-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-53-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-56-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-59-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-62-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-65-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-68-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-71-0x0000000000400000-0x000000000051B000-memory.dmp	themida
behavioral2/memory/5040-74-0x0000000000400000-0x000000000051B000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	videos.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1388	videos.exe
5040	mstwain32.exe
3472	videos.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	videos.exe
File opened for modification	C:\Windows\mstwain32.exe	videos.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
5048	1388	WerFault.exe	83
432	1388	WerFault.exe	83
988	1388	WerFault.exe	83
4160	1388	WerFault.exe	83
4104	1388	WerFault.exe	83
4772	1388	WerFault.exe	83
2616	1388	WerFault.exe	83
2692	1388	WerFault.exe	83
4280	1388	WerFault.exe	83
4224	1388	WerFault.exe	83
1468	1388	WerFault.exe	83
2540	1388	WerFault.exe	83
4556	1388	WerFault.exe	83
3472	1388	WerFault.exe	83
3156	1388	WerFault.exe	83
2380	1388	WerFault.exe	83
208	1388	WerFault.exe	83
4828	1388	WerFault.exe	83
4904	1388	WerFault.exe	83
1180	1388	WerFault.exe	83
4976	1388	WerFault.exe	83
2440	1388	WerFault.exe	83
2276	1388	WerFault.exe	83
4396	1388	WerFault.exe	83
392	1388	WerFault.exe	83
916	5040	WerFault.exe	144
3156	3472	WerFault.exe	147
1616	5040	WerFault.exe	144
2808	3472	WerFault.exe	147
516	5040	WerFault.exe	144
3320	3472	WerFault.exe	147
3224	5040	WerFault.exe	144
272	3472	WerFault.exe	147
4804	5040	WerFault.exe	144
3908	3472	WerFault.exe	147
3676	5040	WerFault.exe	144
3096	3472	WerFault.exe	147
2524	5040	WerFault.exe	144
3728	3472	WerFault.exe	147
3332	5040	WerFault.exe	144
3916	3472	WerFault.exe	147
728	5040	WerFault.exe	144
2368	3472	WerFault.exe	147
4852	5040	WerFault.exe	144
2228	3472	WerFault.exe	147
3600	5040	WerFault.exe	144
3660	3472	WerFault.exe	147
1284	5040	WerFault.exe	144
3620	3472	WerFault.exe	147
4828	5040	WerFault.exe	144
2728	3472	WerFault.exe	147
4976	5040	WerFault.exe	144
2984	3472	WerFault.exe	147
3768	5040	WerFault.exe	144
304	3472	WerFault.exe	147
1840	5040	WerFault.exe	144
4508	3472	WerFault.exe	147
4564	5040	WerFault.exe	144
3124	3472	WerFault.exe	147
3972	5040	WerFault.exe	144
3096	3472	WerFault.exe	147
4824	5040	WerFault.exe	144
2820	3472	WerFault.exe	147
2616	5040	WerFault.exe	144

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	videos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	videos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1388	videos.exe
1388	videos.exe
5040	mstwain32.exe
5040	mstwain32.exe
3472	videos.exe
3472	videos.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	videos.exe
Token: SeBackupPrivilege	680	vssvc.exe
Token: SeRestorePrivilege	680	vssvc.exe
Token: SeAuditPrivilege	680	vssvc.exe
Token: SeDebugPrivilege	5040	mstwain32.exe
Token: SeDebugPrivilege	5040	mstwain32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5040	mstwain32.exe
5040	mstwain32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1388	1640	JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe	83
PID 1640 wrote to memory of 1388	1640	JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe	83
PID 1640 wrote to memory of 1388	1640	JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe	83
PID 1388 wrote to memory of 5040	1388	videos.exe	144
PID 1388 wrote to memory of 5040	1388	videos.exe	144
PID 1388 wrote to memory of 5040	1388	videos.exe	144
PID 1640 wrote to memory of 3472	1640	JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe	147
PID 1640 wrote to memory of 3472	1640	JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe	147
PID 1640 wrote to memory of 3472	1640	JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe	147

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_455fe207373aaaab038130ca9cf33b04.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\videos.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\videos.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 568
    3⤵
    - Program crash
    PID:5048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 608
    3⤵
    - Program crash
    PID:432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 616
    3⤵
    - Program crash
    PID:988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 768
    3⤵
    - Program crash
    PID:4160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 776
    3⤵
    - Program crash
    PID:4104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 812
    3⤵
    - Program crash
    PID:4772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 796
    3⤵
    - Program crash
    PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 804
    3⤵
    - Program crash
    PID:2692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 612
    3⤵
    - Program crash
    PID:4280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 800
    3⤵
    - Program crash
    PID:4224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 616
    3⤵
    - Program crash
    PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 824
    3⤵
    - Program crash
    PID:2540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 780
    3⤵
    - Program crash
    PID:4556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 604
    3⤵
    - Program crash
    PID:3472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 792
    3⤵
    - Program crash
    PID:3156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 820
    3⤵
    - Program crash
    PID:2380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 764
    3⤵
    - Program crash
    PID:208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 784
    3⤵
    - Program crash
    PID:4828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 836
    3⤵
    - Program crash
    PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 856
    3⤵
    - Program crash
    PID:1180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 876
    3⤵
    - Program crash
    PID:4976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 896
    3⤵
    - Program crash
    PID:2440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 860
    3⤵
    - Program crash
    PID:2276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 904
    3⤵
    - Program crash
    PID:4396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 844
    3⤵
    - Program crash
    PID:392
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:5040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 268
      4⤵
      Program crash
      PID:916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 444
      4⤵
      Program crash
      PID:1616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 480
      4⤵
      Program crash
      PID:516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 500
      4⤵
      Program crash
      PID:3224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 508
      4⤵
      Program crash
      PID:4804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 556
      4⤵
      Program crash
      PID:3676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 576
      4⤵
      Program crash
      PID:2524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 584
      4⤵
      Program crash
      PID:3332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 568
      4⤵
      Program crash
      PID:728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 560
      4⤵
      Program crash
      PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 576
      4⤵
      Program crash
      PID:3600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 600
      4⤵
      Program crash
      PID:1284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 624
      4⤵
      Program crash
      PID:4828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 564
      4⤵
      Program crash
      PID:4976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 612
      4⤵
      Program crash
      PID:3768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 620
      4⤵
      Program crash
      PID:1840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 600
      4⤵
      Program crash
      PID:4564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 532
      4⤵
      Program crash
      PID:3972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 572
      4⤵
      Program crash
      PID:4824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 608
      4⤵
      Program crash
      PID:2616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 584
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 556
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 456
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 644
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 600
      4⤵
      PID:4304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\videos.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\videos.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 560
    3⤵
    - Program crash
    PID:3156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 684
    3⤵
    - Program crash
    PID:2808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 764
    3⤵
    - Program crash
    PID:3320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 760
    3⤵
    - Program crash
    PID:272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 768
    3⤵
    - Program crash
    PID:3908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 684
    3⤵
    - Program crash
    PID:3096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 784
    3⤵
    - Program crash
    PID:3728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 760
    3⤵
    - Program crash
    PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 768
    3⤵
    - Program crash
    PID:2368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 680
    3⤵
    - Program crash
    PID:2228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 688
    3⤵
    - Program crash
    PID:3660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 776
    3⤵
    - Program crash
    PID:3620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 792
    3⤵
    - Program crash
    PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 804
    3⤵
    - Program crash
    PID:2984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 812
    3⤵
    - Program crash
    PID:304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 840
    3⤵
    - Program crash
    PID:4508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 780
    3⤵
    - Program crash
    PID:3124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 788
    3⤵
    - Program crash
    PID:3096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 796
    3⤵
    - Program crash
    PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 792
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 808
    3⤵
    PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 768
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 792
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 680
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 836
    3⤵
    PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1388 -ip 1388
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1388 -ip 1388
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1388 -ip 1388
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1388 -ip 1388
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1388 -ip 1388
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1388 -ip 1388
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1388 -ip 1388
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1388 -ip 1388
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1388 -ip 1388
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1388 -ip 1388
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1388 -ip 1388
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1388 -ip 1388
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1388 -ip 1388
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1388 -ip 1388
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1388 -ip 1388
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1388 -ip 1388
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1388 -ip 1388
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1388 -ip 1388
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1388 -ip 1388
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1388 -ip 1388
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1388 -ip 1388
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1388 -ip 1388
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1388 -ip 1388
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1388 -ip 1388
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1388 -ip 1388
1⤵
PID:2336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5040 -ip 5040
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3472 -ip 3472
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5040 -ip 5040
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3472 -ip 3472
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5040 -ip 5040
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3472 -ip 3472
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5040 -ip 5040
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3472 -ip 3472
1⤵
PID:268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5040 -ip 5040
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3472 -ip 3472
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5040 -ip 5040
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3472 -ip 3472
1⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5040 -ip 5040
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3472 -ip 3472
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5040 -ip 5040
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3472 -ip 3472
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5040 -ip 5040
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3472 -ip 3472
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5040 -ip 5040
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3472 -ip 3472
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5040 -ip 5040
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3472 -ip 3472
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5040 -ip 5040
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3472 -ip 3472
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5040 -ip 5040
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3472 -ip 3472
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5040 -ip 5040
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3472 -ip 3472
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5040 -ip 5040
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3472 -ip 3472
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5040 -ip 5040
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3472 -ip 3472
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5040 -ip 5040
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3472 -ip 3472
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5040 -ip 5040
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3472 -ip 3472
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5040 -ip 5040
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3472 -ip 3472
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5040 -ip 5040
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3472 -ip 3472
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5040 -ip 5040
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5040 -ip 5040
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3472 -ip 3472
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5040 -ip 5040
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3472 -ip 3472
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5040 -ip 5040
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3472 -ip 3472
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5040 -ip 5040
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3472 -ip 3472
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3472 -ip 3472
1⤵
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\videos.exe

Filesize
1.1MB

MD5
7f9c5ce7e8afe74909e604de471ccd41

SHA1
da25b73da8a890552a3406d0a1525e6108864a32

SHA256
63690cb459dfdde275876821c646955f0e60b1a23de0940b849659bab30ea9b1

SHA512
3bc5d3e1f96515dd9d8659115fa2bf6a8b7fecb57d33d7ae6dbea43c3778373c3c332eac2eb81b037a4b61337fcb2109fe0af28681a58aab256526171646769b

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
a7db481d2412185aaf46e5c64307b99d

SHA1
3cfdfbfe7b97c5a31f2434e8e448468f653b1e8d

SHA256
f47fa98af227e37181f1b8edffef14ccacd194e15ad9e8cc93c55e7014532963

SHA512
77247cb4c955953376a5593094d5fedffd7016157a9f604b2e7cf237117df203fadce3450bc467d3a1095b8c14eec135cb03342a604bdd6d3678a88eaa9b9d7d

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/1388-10-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1388-7-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1388-9-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1388-21-0x0000000000401000-0x000000000043F000-memory.dmp

Filesize
248KB

Download
memory/1388-20-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1388-8-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1388-6-0x0000000000401000-0x000000000043F000-memory.dmp

Filesize
248KB

Download
memory/1388-4-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3472-36-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3472-24-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-37-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-53-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-39-0x00000000045A0000-0x00000000045A8000-memory.dmp

Filesize
32KB

Download
memory/5040-40-0x00000000054F0000-0x00000000054FE000-memory.dmp

Filesize
56KB

Download
memory/5040-38-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-41-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-44-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-47-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-50-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-34-0x00000000054F0000-0x00000000054FE000-memory.dmp

Filesize
56KB

Download
memory/5040-56-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-59-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-62-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-65-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-68-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-71-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-74-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download