563734356596c657ed114ac367b03c4bd71185cd5f49f798e07999fcdd5bf813

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
Size

910KB
MD5

731b375315d471b6d4c521aafdb7d059
SHA1

ff58197179f54d49db8aa698057f4b7c0c0de788
SHA256

563734356596c657ed114ac367b03c4bd71185cd5f49f798e07999fcdd5bf813
SHA512

e5fdc10cfbee59d3cad00cb9b855763e375ce8b766a3b42c2db57f4d67df3ec00cb0bd187ca16e759bac15f980dbc5455e45e4d689899d1c3bda50c16bc5e4f5
SSDEEP

24576:A+ivXbZrAJrr186rmIWgVRFyIMQ5xv+UXmRE43ss:A+OXbxz8JWgg5Q5kemRR8s

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
5040	userinit.exe
2500	system.exe
4200	system.exe
1836	system.exe
1424	system.exe
4720	system.exe
2240	system.exe
1956	system.exe
456	system.exe
2088	system.exe
2960	system.exe
3912	system.exe
232	system.exe
3580	system.exe
3896	system.exe
4292	system.exe
4248	system.exe
2896	system.exe
3316	system.exe
4172	system.exe
956	system.exe
2172	system.exe
708	system.exe
1964	system.exe
3144	system.exe
4464	system.exe
3100	system.exe
4896	system.exe
3876	system.exe
3604	system.exe
4404	system.exe
1384	system.exe
2544	system.exe
3328	system.exe
4248	system.exe
5020	system.exe
4632	system.exe
2116	system.exe
1172	system.exe
4652	system.exe
888	system.exe
4728	system.exe
4884	system.exe
4944	system.exe
4764	system.exe
1944	system.exe
2000	system.exe
2428	system.exe
4000	system.exe
3600	system.exe
2964	system.exe
448	system.exe
3052	system.exe
1712	system.exe
2476	system.exe
4904	system.exe
1860	system.exe
3820	system.exe
1856	system.exe
5020	system.exe
4992	system.exe
2868	system.exe
1820	system.exe
4196	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
2972	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
5040	userinit.exe
5040	userinit.exe
5040	userinit.exe
5040	userinit.exe
2500	system.exe
2500	system.exe
5040	userinit.exe
5040	userinit.exe
4200	system.exe
4200	system.exe
5040	userinit.exe
5040	userinit.exe
1836	system.exe
1836	system.exe
5040	userinit.exe
5040	userinit.exe
1424	system.exe
1424	system.exe
5040	userinit.exe
5040	userinit.exe
4720	system.exe
4720	system.exe
5040	userinit.exe
5040	userinit.exe
2240	system.exe
2240	system.exe
5040	userinit.exe
5040	userinit.exe
1956	system.exe
1956	system.exe
5040	userinit.exe
5040	userinit.exe
456	system.exe
456	system.exe
5040	userinit.exe
5040	userinit.exe
2088	system.exe
2088	system.exe
5040	userinit.exe
5040	userinit.exe
2960	system.exe
2960	system.exe
5040	userinit.exe
5040	userinit.exe
3912	system.exe
3912	system.exe
5040	userinit.exe
5040	userinit.exe
232	system.exe
232	system.exe
5040	userinit.exe
5040	userinit.exe
3580	system.exe
3580	system.exe
5040	userinit.exe
5040	userinit.exe
3896	system.exe
3896	system.exe
5040	userinit.exe
5040	userinit.exe
4292	system.exe
4292	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5040	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2972	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
2972	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
5040	userinit.exe
5040	userinit.exe
2500	system.exe
2500	system.exe
4200	system.exe
4200	system.exe
1836	system.exe
1836	system.exe
1424	system.exe
1424	system.exe
4720	system.exe
4720	system.exe
2240	system.exe
2240	system.exe
1956	system.exe
1956	system.exe
456	system.exe
456	system.exe
2088	system.exe
2088	system.exe
2960	system.exe
2960	system.exe
3912	system.exe
3912	system.exe
232	system.exe
232	system.exe
3580	system.exe
3580	system.exe
3896	system.exe
3896	system.exe
4292	system.exe
4292	system.exe
4248	system.exe
4248	system.exe
2896	system.exe
2896	system.exe
3316	system.exe
3316	system.exe
4172	system.exe
4172	system.exe
956	system.exe
956	system.exe
2172	system.exe
2172	system.exe
708	system.exe
708	system.exe
1964	system.exe
1964	system.exe
3144	system.exe
3144	system.exe
4464	system.exe
4464	system.exe
3100	system.exe
3100	system.exe
4896	system.exe
4896	system.exe
3876	system.exe
3876	system.exe
3604	system.exe
3604	system.exe
4404	system.exe
4404	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 5040	2972	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe	84
PID 2972 wrote to memory of 5040	2972	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe	84
PID 2972 wrote to memory of 5040	2972	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe	84
PID 5040 wrote to memory of 2500	5040	userinit.exe	88
PID 5040 wrote to memory of 2500	5040	userinit.exe	88
PID 5040 wrote to memory of 2500	5040	userinit.exe	88
PID 5040 wrote to memory of 4200	5040	userinit.exe	91
PID 5040 wrote to memory of 4200	5040	userinit.exe	91
PID 5040 wrote to memory of 4200	5040	userinit.exe	91
PID 5040 wrote to memory of 1836	5040	userinit.exe	94
PID 5040 wrote to memory of 1836	5040	userinit.exe	94
PID 5040 wrote to memory of 1836	5040	userinit.exe	94
PID 5040 wrote to memory of 1424	5040	userinit.exe	95
PID 5040 wrote to memory of 1424	5040	userinit.exe	95
PID 5040 wrote to memory of 1424	5040	userinit.exe	95
PID 5040 wrote to memory of 4720	5040	userinit.exe	96
PID 5040 wrote to memory of 4720	5040	userinit.exe	96
PID 5040 wrote to memory of 4720	5040	userinit.exe	96
PID 5040 wrote to memory of 2240	5040	userinit.exe	98
PID 5040 wrote to memory of 2240	5040	userinit.exe	98
PID 5040 wrote to memory of 2240	5040	userinit.exe	98
PID 5040 wrote to memory of 1956	5040	userinit.exe	99
PID 5040 wrote to memory of 1956	5040	userinit.exe	99
PID 5040 wrote to memory of 1956	5040	userinit.exe	99
PID 5040 wrote to memory of 456	5040	userinit.exe	100
PID 5040 wrote to memory of 456	5040	userinit.exe	100
PID 5040 wrote to memory of 456	5040	userinit.exe	100
PID 5040 wrote to memory of 2088	5040	userinit.exe	103
PID 5040 wrote to memory of 2088	5040	userinit.exe	103
PID 5040 wrote to memory of 2088	5040	userinit.exe	103
PID 5040 wrote to memory of 2960	5040	userinit.exe	104
PID 5040 wrote to memory of 2960	5040	userinit.exe	104
PID 5040 wrote to memory of 2960	5040	userinit.exe	104
PID 5040 wrote to memory of 3912	5040	userinit.exe	105
PID 5040 wrote to memory of 3912	5040	userinit.exe	105
PID 5040 wrote to memory of 3912	5040	userinit.exe	105
PID 5040 wrote to memory of 232	5040	userinit.exe	106
PID 5040 wrote to memory of 232	5040	userinit.exe	106
PID 5040 wrote to memory of 232	5040	userinit.exe	106
PID 5040 wrote to memory of 3580	5040	userinit.exe	107
PID 5040 wrote to memory of 3580	5040	userinit.exe	107
PID 5040 wrote to memory of 3580	5040	userinit.exe	107
PID 5040 wrote to memory of 3896	5040	userinit.exe	108
PID 5040 wrote to memory of 3896	5040	userinit.exe	108
PID 5040 wrote to memory of 3896	5040	userinit.exe	108
PID 5040 wrote to memory of 4292	5040	userinit.exe	109
PID 5040 wrote to memory of 4292	5040	userinit.exe	109
PID 5040 wrote to memory of 4292	5040	userinit.exe	109
PID 5040 wrote to memory of 4248	5040	userinit.exe	110
PID 5040 wrote to memory of 4248	5040	userinit.exe	110
PID 5040 wrote to memory of 4248	5040	userinit.exe	110
PID 5040 wrote to memory of 2896	5040	userinit.exe	111
PID 5040 wrote to memory of 2896	5040	userinit.exe	111
PID 5040 wrote to memory of 2896	5040	userinit.exe	111
PID 5040 wrote to memory of 3316	5040	userinit.exe	112
PID 5040 wrote to memory of 3316	5040	userinit.exe	112
PID 5040 wrote to memory of 3316	5040	userinit.exe	112
PID 5040 wrote to memory of 4172	5040	userinit.exe	113
PID 5040 wrote to memory of 4172	5040	userinit.exe	113
PID 5040 wrote to memory of 4172	5040	userinit.exe	113
PID 5040 wrote to memory of 956	5040	userinit.exe	114
PID 5040 wrote to memory of 956	5040	userinit.exe	114
PID 5040 wrote to memory of 956	5040	userinit.exe	114
PID 5040 wrote to memory of 2172	5040	userinit.exe	115

C:\Users\Admin\AppData\Local\Temp\731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
910KB

MD5
731b375315d471b6d4c521aafdb7d059

SHA1
ff58197179f54d49db8aa698057f4b7c0c0de788

SHA256
563734356596c657ed114ac367b03c4bd71185cd5f49f798e07999fcdd5bf813

SHA512
e5fdc10cfbee59d3cad00cb9b855763e375ce8b766a3b42c2db57f4d67df3ec00cb0bd187ca16e759bac15f980dbc5455e45e4d689899d1c3bda50c16bc5e4f5

Download Submit
memory/232-80-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/312-433-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/448-274-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/456-60-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/628-429-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/708-130-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/888-220-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/956-120-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1092-404-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1172-210-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1220-448-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1384-175-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1424-40-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1556-444-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1564-347-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1712-284-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1820-327-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1836-35-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1860-299-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1944-245-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1956-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1964-135-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2000-250-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2064-363-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2088-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2116-205-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2148-371-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2152-409-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2172-125-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2240-50-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2260-335-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2428-255-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2476-289-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2500-24-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2544-180-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2704-367-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2748-355-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2868-323-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2896-413-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2896-105-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2960-70-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2972-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2972-14-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-343-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3052-279-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3100-150-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3144-140-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3316-110-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3328-185-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3580-85-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3600-265-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3604-165-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3612-395-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3792-351-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3820-304-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3876-160-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3896-90-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3912-375-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3912-75-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3916-456-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4000-260-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4080-383-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4156-387-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4172-115-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4196-331-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4200-30-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4200-26-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4248-100-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4248-190-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4292-95-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4348-417-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4392-425-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4404-170-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4464-145-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4620-379-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4632-200-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4640-339-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4652-215-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4668-421-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4720-45-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4728-225-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4756-400-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4764-240-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4884-230-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4892-391-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4896-155-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4904-294-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4920-440-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4932-452-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4944-235-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4992-318-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5004-359-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5020-195-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5020-313-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5040-396-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5100-408-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download