3b04e49490253e9a35be1838b75f5e8a11bc47025fe847b126aa8a8c98c9cdd9

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
Size

211KB
MD5

83c5e9ebb50625691e160e92f8c8f244
SHA1

215df42eb95f52c9e7586fae1064552519f2c900
SHA256

3b04e49490253e9a35be1838b75f5e8a11bc47025fe847b126aa8a8c98c9cdd9
SHA512

0f28e3460589d9ce55f5dfb74db069a178f9c1005de8d9155f7b572961c7d8bb8f9107a9d282314ee366d07b0c61d9d917f966cec8b418b6f785a711713a5ac6
SSDEEP

768:NikxN1wLPr4rS518RxcW1J7XTC05GKJZQaHu7J4of1zBmQzTGfmgyqU:wkxN1wH4uHUD1V5pZQ64Zf1zwQVgvU

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
1452	userinit.exe
5860	system.exe
6132	system.exe
2316	system.exe
4512	system.exe
1904	system.exe
1220	system.exe
2128	system.exe
464	system.exe
5740	system.exe
5304	system.exe
5204	system.exe
4448	system.exe
4232	system.exe
5320	system.exe
1316	system.exe
5436	system.exe
2532	system.exe
3864	system.exe
836	system.exe
4736	system.exe
5756	system.exe
5468	system.exe
2900	system.exe
5240	system.exe
5356	system.exe
1256	system.exe
1876	system.exe
2996	system.exe
4056	system.exe
5600	system.exe
2052	system.exe
4476	system.exe
1504	system.exe
668	system.exe
2200	system.exe
5508	system.exe
5548	system.exe
1692	system.exe
6084	system.exe
6080	system.exe
5892	system.exe
5488	system.exe
2632	system.exe
972	system.exe
5800	system.exe
808	system.exe
2020	system.exe
3180	system.exe
1180	system.exe
4456	system.exe
404	system.exe
5276	system.exe
5268	system.exe
5372	system.exe
3828	system.exe
4524	system.exe
5812	system.exe
4232	system.exe
2828	system.exe
4600	system.exe
4828	system.exe
1196	system.exe
1588	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5188	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
5188	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
1452	userinit.exe
1452	userinit.exe
1452	userinit.exe
1452	userinit.exe
5860	system.exe
5860	system.exe
1452	userinit.exe
1452	userinit.exe
6132	system.exe
6132	system.exe
1452	userinit.exe
1452	userinit.exe
2316	system.exe
2316	system.exe
1452	userinit.exe
1452	userinit.exe
4512	system.exe
4512	system.exe
1452	userinit.exe
1452	userinit.exe
1904	system.exe
1904	system.exe
1452	userinit.exe
1452	userinit.exe
1220	system.exe
1220	system.exe
1452	userinit.exe
1452	userinit.exe
2128	system.exe
2128	system.exe
1452	userinit.exe
1452	userinit.exe
464	system.exe
464	system.exe
1452	userinit.exe
1452	userinit.exe
5740	system.exe
5740	system.exe
1452	userinit.exe
1452	userinit.exe
5304	system.exe
5304	system.exe
1452	userinit.exe
1452	userinit.exe
5204	system.exe
5204	system.exe
1452	userinit.exe
1452	userinit.exe
4448	system.exe
4448	system.exe
1452	userinit.exe
1452	userinit.exe
4232	system.exe
4232	system.exe
1452	userinit.exe
1452	userinit.exe
5320	system.exe
5320	system.exe
1452	userinit.exe
1452	userinit.exe
1316	system.exe
1316	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1452	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5188	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
5188	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
1452	userinit.exe
1452	userinit.exe
5860	system.exe
5860	system.exe
6132	system.exe
6132	system.exe
2316	system.exe
2316	system.exe
4512	system.exe
4512	system.exe
1904	system.exe
1904	system.exe
1220	system.exe
1220	system.exe
2128	system.exe
2128	system.exe
464	system.exe
464	system.exe
5740	system.exe
5740	system.exe
5304	system.exe
5304	system.exe
5204	system.exe
5204	system.exe
4448	system.exe
4448	system.exe
4232	system.exe
4232	system.exe
5320	system.exe
5320	system.exe
1316	system.exe
1316	system.exe
5436	system.exe
5436	system.exe
2532	system.exe
2532	system.exe
3864	system.exe
3864	system.exe
836	system.exe
836	system.exe
4736	system.exe
4736	system.exe
5756	system.exe
5756	system.exe
5468	system.exe
5468	system.exe
2900	system.exe
2900	system.exe
5240	system.exe
5240	system.exe
5356	system.exe
5356	system.exe
1256	system.exe
1256	system.exe
1876	system.exe
1876	system.exe
2996	system.exe
2996	system.exe
4056	system.exe
4056	system.exe
5600	system.exe
5600	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5188 wrote to memory of 1452	5188	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe	87
PID 5188 wrote to memory of 1452	5188	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe	87
PID 5188 wrote to memory of 1452	5188	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe	87
PID 1452 wrote to memory of 5860	1452	userinit.exe	89
PID 1452 wrote to memory of 5860	1452	userinit.exe	89
PID 1452 wrote to memory of 5860	1452	userinit.exe	89
PID 1452 wrote to memory of 6132	1452	userinit.exe	90
PID 1452 wrote to memory of 6132	1452	userinit.exe	90
PID 1452 wrote to memory of 6132	1452	userinit.exe	90
PID 1452 wrote to memory of 2316	1452	userinit.exe	93
PID 1452 wrote to memory of 2316	1452	userinit.exe	93
PID 1452 wrote to memory of 2316	1452	userinit.exe	93
PID 1452 wrote to memory of 4512	1452	userinit.exe	96
PID 1452 wrote to memory of 4512	1452	userinit.exe	96
PID 1452 wrote to memory of 4512	1452	userinit.exe	96
PID 1452 wrote to memory of 1904	1452	userinit.exe	97
PID 1452 wrote to memory of 1904	1452	userinit.exe	97
PID 1452 wrote to memory of 1904	1452	userinit.exe	97
PID 1452 wrote to memory of 1220	1452	userinit.exe	98
PID 1452 wrote to memory of 1220	1452	userinit.exe	98
PID 1452 wrote to memory of 1220	1452	userinit.exe	98
PID 1452 wrote to memory of 2128	1452	userinit.exe	100
PID 1452 wrote to memory of 2128	1452	userinit.exe	100
PID 1452 wrote to memory of 2128	1452	userinit.exe	100
PID 1452 wrote to memory of 464	1452	userinit.exe	101
PID 1452 wrote to memory of 464	1452	userinit.exe	101
PID 1452 wrote to memory of 464	1452	userinit.exe	101
PID 1452 wrote to memory of 5740	1452	userinit.exe	103
PID 1452 wrote to memory of 5740	1452	userinit.exe	103
PID 1452 wrote to memory of 5740	1452	userinit.exe	103
PID 1452 wrote to memory of 5304	1452	userinit.exe	104
PID 1452 wrote to memory of 5304	1452	userinit.exe	104
PID 1452 wrote to memory of 5304	1452	userinit.exe	104
PID 1452 wrote to memory of 5204	1452	userinit.exe	105
PID 1452 wrote to memory of 5204	1452	userinit.exe	105
PID 1452 wrote to memory of 5204	1452	userinit.exe	105
PID 1452 wrote to memory of 4448	1452	userinit.exe	107
PID 1452 wrote to memory of 4448	1452	userinit.exe	107
PID 1452 wrote to memory of 4448	1452	userinit.exe	107
PID 1452 wrote to memory of 4232	1452	userinit.exe	108
PID 1452 wrote to memory of 4232	1452	userinit.exe	108
PID 1452 wrote to memory of 4232	1452	userinit.exe	108
PID 1452 wrote to memory of 5320	1452	userinit.exe	109
PID 1452 wrote to memory of 5320	1452	userinit.exe	109
PID 1452 wrote to memory of 5320	1452	userinit.exe	109
PID 1452 wrote to memory of 1316	1452	userinit.exe	110
PID 1452 wrote to memory of 1316	1452	userinit.exe	110
PID 1452 wrote to memory of 1316	1452	userinit.exe	110
PID 1452 wrote to memory of 5436	1452	userinit.exe	111
PID 1452 wrote to memory of 5436	1452	userinit.exe	111
PID 1452 wrote to memory of 5436	1452	userinit.exe	111
PID 1452 wrote to memory of 2532	1452	userinit.exe	112
PID 1452 wrote to memory of 2532	1452	userinit.exe	112
PID 1452 wrote to memory of 2532	1452	userinit.exe	112
PID 1452 wrote to memory of 3864	1452	userinit.exe	113
PID 1452 wrote to memory of 3864	1452	userinit.exe	113
PID 1452 wrote to memory of 3864	1452	userinit.exe	113
PID 1452 wrote to memory of 836	1452	userinit.exe	114
PID 1452 wrote to memory of 836	1452	userinit.exe	114
PID 1452 wrote to memory of 836	1452	userinit.exe	114
PID 1452 wrote to memory of 4736	1452	userinit.exe	115
PID 1452 wrote to memory of 4736	1452	userinit.exe	115
PID 1452 wrote to memory of 4736	1452	userinit.exe	115
PID 1452 wrote to memory of 5756	1452	userinit.exe	116

C:\Users\Admin\AppData\Local\Temp\83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5188
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:6132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:6080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:64
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
211KB

MD5
83c5e9ebb50625691e160e92f8c8f244

SHA1
215df42eb95f52c9e7586fae1064552519f2c900

SHA256
3b04e49490253e9a35be1838b75f5e8a11bc47025fe847b126aa8a8c98c9cdd9

SHA512
0f28e3460589d9ce55f5dfb74db069a178f9c1005de8d9155f7b572961c7d8bb8f9107a9d282314ee366d07b0c61d9d917f966cec8b418b6f785a711713a5ac6

Download Submit
memory/64-591-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/404-293-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/464-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/532-530-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/668-206-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/768-380-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/808-267-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/812-428-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/836-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/972-257-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1180-283-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1196-354-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1196-581-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1220-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1256-164-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1256-374-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1316-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1344-554-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1384-453-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1452-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1452-12-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1452-223-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1452-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1452-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1452-274-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1452-177-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1452-321-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1452-429-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1504-201-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1544-385-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1588-359-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-227-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1720-749-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-169-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-601-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1880-438-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1900-571-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1900-566-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1904-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1904-56-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2020-272-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2052-191-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-443-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2128-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2200-211-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2216-586-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2316-44-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2316-39-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2316-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2532-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2632-252-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2716-694-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2716-485-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2828-337-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2900-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2912-721-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2996-175-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3016-545-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-564-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3088-395-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3172-711-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3172-706-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3216-636-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3240-704-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3300-726-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3312-418-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3428-627-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3608-364-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3664-559-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3708-499-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3760-576-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3772-645-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3828-313-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3864-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4024-669-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-181-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4232-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4232-331-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4252-413-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4420-448-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4440-617-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4448-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4456-288-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4476-660-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4476-196-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4512-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4512-50-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4524-319-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4528-469-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4560-611-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4600-343-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4636-689-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4736-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4788-716-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4828-349-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4856-475-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4868-458-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4884-596-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4924-535-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4956-744-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5028-674-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5128-520-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5188-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/5188-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5188-18-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/5188-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5204-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5204-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5224-679-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5240-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5268-303-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5276-298-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5304-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5320-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5336-408-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5356-159-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5356-369-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5372-308-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5396-735-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5436-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5468-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5488-247-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5500-514-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5500-509-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5508-216-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5520-459-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5520-464-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5536-540-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5548-221-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5600-186-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5724-504-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5740-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5756-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5800-262-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5812-325-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5824-525-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5828-650-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5860-30-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/5860-25-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/5860-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5880-622-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5884-490-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5892-242-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5940-684-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5960-699-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/6020-606-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/6024-390-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/6080-237-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/6084-232-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/6100-480-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/6132-33-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/6132-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/6132-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download