6fdc10aa6fbd64dc10e0be193db877f7f9b64cb5d7db2deb627d0752b4c4e11a

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe
Size

236KB
MD5

70f7d82de5b6762d7aa16721802e634b
SHA1

f6531696f17f8f5acb653f8ac292aa06c1e186c5
SHA256

6fdc10aa6fbd64dc10e0be193db877f7f9b64cb5d7db2deb627d0752b4c4e11a
SHA512

60c81eb1ed2f3965fc7c497bba28e652f1246ba0da1ddbd6388e8d20a52d1a4f3077ed7036a66fdfe6b88efc59647957d1e44047e71ebd04591f42dc3a2b1867
SSDEEP

1536:YIf1zwQVgROUsu5e/lQCwJXjqkKx0YOW4pu8f1zwQVgvUHK+:YI1zwLROUsu5eNwJWkKxZ4puc1zwLvU

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
3708	userinit.exe
3496	system.exe
2912	system.exe
4068	system.exe
4412	system.exe
3608	system.exe
456	system.exe
1056	system.exe
2328	system.exe
3924	system.exe
3932	system.exe
4696	system.exe
4352	system.exe
4672	system.exe
3432	system.exe
1232	system.exe
3528	system.exe
3728	system.exe
4940	system.exe
3676	system.exe
3680	system.exe
4568	system.exe
1800	system.exe
640	system.exe
4304	system.exe
3508	system.exe
2344	system.exe
544	system.exe
4068	system.exe
2964	system.exe
2688	system.exe
1916	system.exe
3988	system.exe
1460	system.exe
1448	system.exe
5040	system.exe
4480	system.exe
4852	system.exe
4392	system.exe
4724	system.exe
1560	system.exe
4864	system.exe
4240	system.exe
1704	system.exe
2612	system.exe
1712	system.exe
2952	system.exe
2776	system.exe
2712	system.exe
1148	system.exe
2912	system.exe
3204	system.exe
1504	system.exe
1152	system.exe
2072	system.exe
5008	system.exe
1816	system.exe
3256	system.exe
4148	system.exe
1980	system.exe
2364	system.exe
5044	system.exe
856	system.exe
3692	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1232	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe
1232	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe
3708	userinit.exe
3708	userinit.exe
3708	userinit.exe
3708	userinit.exe
3496	system.exe
3496	system.exe
3708	userinit.exe
3708	userinit.exe
2912	system.exe
2912	system.exe
3708	userinit.exe
3708	userinit.exe
4068	system.exe
4068	system.exe
3708	userinit.exe
3708	userinit.exe
4412	system.exe
4412	system.exe
3708	userinit.exe
3708	userinit.exe
3608	system.exe
3608	system.exe
3708	userinit.exe
3708	userinit.exe
456	system.exe
456	system.exe
3708	userinit.exe
3708	userinit.exe
1056	system.exe
1056	system.exe
3708	userinit.exe
3708	userinit.exe
2328	system.exe
2328	system.exe
3708	userinit.exe
3708	userinit.exe
3924	system.exe
3924	system.exe
3708	userinit.exe
3708	userinit.exe
3932	system.exe
3932	system.exe
3708	userinit.exe
3708	userinit.exe
4696	system.exe
4696	system.exe
3708	userinit.exe
3708	userinit.exe
4352	system.exe
4352	system.exe
3708	userinit.exe
3708	userinit.exe
4672	system.exe
4672	system.exe
3708	userinit.exe
3708	userinit.exe
3432	system.exe
3432	system.exe
3708	userinit.exe
3708	userinit.exe
1232	system.exe
1232	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3708	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1232	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe
1232	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe
3708	userinit.exe
3708	userinit.exe
3496	system.exe
3496	system.exe
2912	system.exe
2912	system.exe
4068	system.exe
4068	system.exe
4412	system.exe
4412	system.exe
3608	system.exe
3608	system.exe
456	system.exe
456	system.exe
1056	system.exe
1056	system.exe
2328	system.exe
2328	system.exe
3924	system.exe
3924	system.exe
3932	system.exe
3932	system.exe
4696	system.exe
4696	system.exe
4352	system.exe
4352	system.exe
4672	system.exe
4672	system.exe
3432	system.exe
3432	system.exe
1232	system.exe
1232	system.exe
3528	system.exe
3528	system.exe
3728	system.exe
3728	system.exe
4940	system.exe
4940	system.exe
3676	system.exe
3676	system.exe
3680	system.exe
3680	system.exe
4568	system.exe
4568	system.exe
1800	system.exe
1800	system.exe
640	system.exe
640	system.exe
4304	system.exe
4304	system.exe
3508	system.exe
3508	system.exe
2344	system.exe
2344	system.exe
544	system.exe
544	system.exe
4068	system.exe
4068	system.exe
2964	system.exe
2964	system.exe
2688	system.exe
2688	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 3708	1232	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe	86
PID 1232 wrote to memory of 3708	1232	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe	86
PID 1232 wrote to memory of 3708	1232	70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe	86
PID 3708 wrote to memory of 3496	3708	userinit.exe	90
PID 3708 wrote to memory of 3496	3708	userinit.exe	90
PID 3708 wrote to memory of 3496	3708	userinit.exe	90
PID 3708 wrote to memory of 2912	3708	userinit.exe	92
PID 3708 wrote to memory of 2912	3708	userinit.exe	92
PID 3708 wrote to memory of 2912	3708	userinit.exe	92
PID 3708 wrote to memory of 4068	3708	userinit.exe	95
PID 3708 wrote to memory of 4068	3708	userinit.exe	95
PID 3708 wrote to memory of 4068	3708	userinit.exe	95
PID 3708 wrote to memory of 4412	3708	userinit.exe	98
PID 3708 wrote to memory of 4412	3708	userinit.exe	98
PID 3708 wrote to memory of 4412	3708	userinit.exe	98
PID 3708 wrote to memory of 3608	3708	userinit.exe	99
PID 3708 wrote to memory of 3608	3708	userinit.exe	99
PID 3708 wrote to memory of 3608	3708	userinit.exe	99
PID 3708 wrote to memory of 456	3708	userinit.exe	100
PID 3708 wrote to memory of 456	3708	userinit.exe	100
PID 3708 wrote to memory of 456	3708	userinit.exe	100
PID 3708 wrote to memory of 1056	3708	userinit.exe	102
PID 3708 wrote to memory of 1056	3708	userinit.exe	102
PID 3708 wrote to memory of 1056	3708	userinit.exe	102
PID 3708 wrote to memory of 2328	3708	userinit.exe	103
PID 3708 wrote to memory of 2328	3708	userinit.exe	103
PID 3708 wrote to memory of 2328	3708	userinit.exe	103
PID 3708 wrote to memory of 3924	3708	userinit.exe	104
PID 3708 wrote to memory of 3924	3708	userinit.exe	104
PID 3708 wrote to memory of 3924	3708	userinit.exe	104
PID 3708 wrote to memory of 3932	3708	userinit.exe	107
PID 3708 wrote to memory of 3932	3708	userinit.exe	107
PID 3708 wrote to memory of 3932	3708	userinit.exe	107
PID 3708 wrote to memory of 4696	3708	userinit.exe	108
PID 3708 wrote to memory of 4696	3708	userinit.exe	108
PID 3708 wrote to memory of 4696	3708	userinit.exe	108
PID 3708 wrote to memory of 4352	3708	userinit.exe	109
PID 3708 wrote to memory of 4352	3708	userinit.exe	109
PID 3708 wrote to memory of 4352	3708	userinit.exe	109
PID 3708 wrote to memory of 4672	3708	userinit.exe	110
PID 3708 wrote to memory of 4672	3708	userinit.exe	110
PID 3708 wrote to memory of 4672	3708	userinit.exe	110
PID 3708 wrote to memory of 3432	3708	userinit.exe	111
PID 3708 wrote to memory of 3432	3708	userinit.exe	111
PID 3708 wrote to memory of 3432	3708	userinit.exe	111
PID 3708 wrote to memory of 1232	3708	userinit.exe	112
PID 3708 wrote to memory of 1232	3708	userinit.exe	112
PID 3708 wrote to memory of 1232	3708	userinit.exe	112
PID 3708 wrote to memory of 3528	3708	userinit.exe	113
PID 3708 wrote to memory of 3528	3708	userinit.exe	113
PID 3708 wrote to memory of 3528	3708	userinit.exe	113
PID 3708 wrote to memory of 3728	3708	userinit.exe	114
PID 3708 wrote to memory of 3728	3708	userinit.exe	114
PID 3708 wrote to memory of 3728	3708	userinit.exe	114
PID 3708 wrote to memory of 4940	3708	userinit.exe	115
PID 3708 wrote to memory of 4940	3708	userinit.exe	115
PID 3708 wrote to memory of 4940	3708	userinit.exe	115
PID 3708 wrote to memory of 3676	3708	userinit.exe	116
PID 3708 wrote to memory of 3676	3708	userinit.exe	116
PID 3708 wrote to memory of 3676	3708	userinit.exe	116
PID 3708 wrote to memory of 3680	3708	userinit.exe	117
PID 3708 wrote to memory of 3680	3708	userinit.exe	117
PID 3708 wrote to memory of 3680	3708	userinit.exe	117
PID 3708 wrote to memory of 4568	3708	userinit.exe	118

C:\Users\Admin\AppData\Local\Temp\70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70f7d82de5b6762d7aa16721802e634b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:32
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
236KB

MD5
70f7d82de5b6762d7aa16721802e634b

SHA1
f6531696f17f8f5acb653f8ac292aa06c1e186c5

SHA256
6fdc10aa6fbd64dc10e0be193db877f7f9b64cb5d7db2deb627d0752b4c4e11a

SHA512
60c81eb1ed2f3965fc7c497bba28e652f1246ba0da1ddbd6388e8d20a52d1a4f3077ed7036a66fdfe6b88efc59647957d1e44047e71ebd04591f42dc3a2b1867

Download Submit
memory/456-50-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/464-440-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/544-155-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/640-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/916-389-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/960-393-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-448-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1056-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1148-261-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1152-281-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1152-421-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1224-365-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1232-95-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1232-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1232-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1460-185-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1488-452-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1504-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1560-218-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1600-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1704-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1712-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1740-429-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1760-406-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1800-130-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-296-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1980-311-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2056-349-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2072-425-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2072-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2100-433-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2160-402-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2208-385-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2224-345-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2328-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2344-150-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-316-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2488-460-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2612-237-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2656-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2688-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2712-398-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2776-252-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2912-30-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2912-266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2940-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2952-247-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2964-165-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2984-357-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3204-271-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3256-301-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3432-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3496-21-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3496-25-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3508-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3528-100-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3608-45-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3676-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3680-120-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3692-329-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3708-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3728-105-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3832-468-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3924-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3932-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3964-373-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3968-413-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3988-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4008-444-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4064-361-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4068-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4068-35-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4132-464-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4148-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4304-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4336-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4352-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4388-417-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4392-208-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4412-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4444-456-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4480-198-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4568-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4588-337-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4672-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4696-75-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4724-213-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4828-353-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4852-203-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4864-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4940-110-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4940-381-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5008-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5044-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download