3cb4cf39fd42e256a8fdeaf83e50c006e5f1ad4da80592c0ce5c281bb05f80c2

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 00:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe
Size

80KB
MD5

8420cde966094a4165ed5f6160fee8b5
SHA1

55129d9f051acb7d7dc78135eeb1afb17d07bfa9
SHA256

3cb4cf39fd42e256a8fdeaf83e50c006e5f1ad4da80592c0ce5c281bb05f80c2
SHA512

1d180acf9058c87576ef5c38fc57086eeb0ca04c738134e0ad70a69409b1bf3010a6a32d06b541a65c550bbce738c40c5f802c21597b0921fbfc2d0056fc32b4
SSDEEP

768:2JfIhrOhrlBB1dGn4HQ/aSjaAato92ah0vZRr2NdkDg3e3UmaRxaY71dsBpKcTDI:uIhr8d6Z/p7atEhKZ55gIaRhdsRxOcS

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
3508	userinit.exe
996	system.exe
3740	system.exe
2500	system.exe
4896	system.exe
5052	system.exe
5064	system.exe
2308	system.exe
2780	system.exe
1224	system.exe
4928	system.exe
4424	system.exe
1720	system.exe
2148	system.exe
3848	system.exe
2388	system.exe
5028	system.exe
2384	system.exe
2964	system.exe
2128	system.exe
4696	system.exe
4308	system.exe
4640	system.exe
3856	system.exe
3768	system.exe
1820	system.exe
244	system.exe
4076	system.exe
4884	system.exe
4800	system.exe
2748	system.exe
2040	system.exe
3412	system.exe
1720	system.exe
1760	system.exe
3848	system.exe
4912	system.exe
5108	system.exe
4304	system.exe
1672	system.exe
3056	system.exe
2664	system.exe
1988	system.exe
1380	system.exe
3384	system.exe
3852	system.exe
1288	system.exe
2772	system.exe
312	system.exe
4644	system.exe
1676	system.exe
2500	system.exe
3840	system.exe
2256	system.exe
2636	system.exe
3816	system.exe
4048	system.exe
1108	system.exe
4148	system.exe
3380	system.exe
4212	system.exe
4436	system.exe
3436	system.exe
5028	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe
1400	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe
3508	userinit.exe
3508	userinit.exe
3508	userinit.exe
3508	userinit.exe
996	system.exe
996	system.exe
3508	userinit.exe
3508	userinit.exe
3740	system.exe
3740	system.exe
3508	userinit.exe
3508	userinit.exe
2500	system.exe
2500	system.exe
3508	userinit.exe
3508	userinit.exe
4896	system.exe
4896	system.exe
3508	userinit.exe
3508	userinit.exe
5052	system.exe
5052	system.exe
3508	userinit.exe
3508	userinit.exe
5064	system.exe
5064	system.exe
3508	userinit.exe
3508	userinit.exe
2308	system.exe
2308	system.exe
3508	userinit.exe
3508	userinit.exe
2780	system.exe
2780	system.exe
3508	userinit.exe
3508	userinit.exe
1224	system.exe
1224	system.exe
3508	userinit.exe
3508	userinit.exe
4928	system.exe
4928	system.exe
3508	userinit.exe
3508	userinit.exe
4424	system.exe
4424	system.exe
3508	userinit.exe
3508	userinit.exe
1720	system.exe
1720	system.exe
3508	userinit.exe
3508	userinit.exe
2148	system.exe
2148	system.exe
3508	userinit.exe
3508	userinit.exe
3848	system.exe
3848	system.exe
3508	userinit.exe
3508	userinit.exe
2388	system.exe
2388	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3508	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1400	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe
1400	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe
3508	userinit.exe
3508	userinit.exe
996	system.exe
996	system.exe
3740	system.exe
3740	system.exe
2500	system.exe
2500	system.exe
4896	system.exe
4896	system.exe
5052	system.exe
5052	system.exe
5064	system.exe
5064	system.exe
2308	system.exe
2308	system.exe
2780	system.exe
2780	system.exe
1224	system.exe
1224	system.exe
4928	system.exe
4928	system.exe
4424	system.exe
4424	system.exe
1720	system.exe
1720	system.exe
2148	system.exe
2148	system.exe
3848	system.exe
3848	system.exe
2388	system.exe
2388	system.exe
5028	system.exe
5028	system.exe
2384	system.exe
2384	system.exe
2964	system.exe
2964	system.exe
2128	system.exe
2128	system.exe
4696	system.exe
4696	system.exe
4308	system.exe
4308	system.exe
4640	system.exe
4640	system.exe
3856	system.exe
3856	system.exe
3768	system.exe
3768	system.exe
1820	system.exe
1820	system.exe
244	system.exe
244	system.exe
4076	system.exe
4076	system.exe
4884	system.exe
4884	system.exe
4800	system.exe
4800	system.exe
2748	system.exe
2748	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 3508	1400	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe	85
PID 1400 wrote to memory of 3508	1400	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe	85
PID 1400 wrote to memory of 3508	1400	8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe	85
PID 3508 wrote to memory of 996	3508	userinit.exe	88
PID 3508 wrote to memory of 996	3508	userinit.exe	88
PID 3508 wrote to memory of 996	3508	userinit.exe	88
PID 3508 wrote to memory of 3740	3508	userinit.exe	91
PID 3508 wrote to memory of 3740	3508	userinit.exe	91
PID 3508 wrote to memory of 3740	3508	userinit.exe	91
PID 3508 wrote to memory of 2500	3508	userinit.exe	94
PID 3508 wrote to memory of 2500	3508	userinit.exe	94
PID 3508 wrote to memory of 2500	3508	userinit.exe	94
PID 3508 wrote to memory of 4896	3508	userinit.exe	95
PID 3508 wrote to memory of 4896	3508	userinit.exe	95
PID 3508 wrote to memory of 4896	3508	userinit.exe	95
PID 3508 wrote to memory of 5052	3508	userinit.exe	96
PID 3508 wrote to memory of 5052	3508	userinit.exe	96
PID 3508 wrote to memory of 5052	3508	userinit.exe	96
PID 3508 wrote to memory of 5064	3508	userinit.exe	98
PID 3508 wrote to memory of 5064	3508	userinit.exe	98
PID 3508 wrote to memory of 5064	3508	userinit.exe	98
PID 3508 wrote to memory of 2308	3508	userinit.exe	99
PID 3508 wrote to memory of 2308	3508	userinit.exe	99
PID 3508 wrote to memory of 2308	3508	userinit.exe	99
PID 3508 wrote to memory of 2780	3508	userinit.exe	100
PID 3508 wrote to memory of 2780	3508	userinit.exe	100
PID 3508 wrote to memory of 2780	3508	userinit.exe	100
PID 3508 wrote to memory of 1224	3508	userinit.exe	102
PID 3508 wrote to memory of 1224	3508	userinit.exe	102
PID 3508 wrote to memory of 1224	3508	userinit.exe	102
PID 3508 wrote to memory of 4928	3508	userinit.exe	103
PID 3508 wrote to memory of 4928	3508	userinit.exe	103
PID 3508 wrote to memory of 4928	3508	userinit.exe	103
PID 3508 wrote to memory of 4424	3508	userinit.exe	104
PID 3508 wrote to memory of 4424	3508	userinit.exe	104
PID 3508 wrote to memory of 4424	3508	userinit.exe	104
PID 3508 wrote to memory of 1720	3508	userinit.exe	106
PID 3508 wrote to memory of 1720	3508	userinit.exe	106
PID 3508 wrote to memory of 1720	3508	userinit.exe	106
PID 3508 wrote to memory of 2148	3508	userinit.exe	107
PID 3508 wrote to memory of 2148	3508	userinit.exe	107
PID 3508 wrote to memory of 2148	3508	userinit.exe	107
PID 3508 wrote to memory of 3848	3508	userinit.exe	108
PID 3508 wrote to memory of 3848	3508	userinit.exe	108
PID 3508 wrote to memory of 3848	3508	userinit.exe	108
PID 3508 wrote to memory of 2388	3508	userinit.exe	109
PID 3508 wrote to memory of 2388	3508	userinit.exe	109
PID 3508 wrote to memory of 2388	3508	userinit.exe	109
PID 3508 wrote to memory of 5028	3508	userinit.exe	110
PID 3508 wrote to memory of 5028	3508	userinit.exe	110
PID 3508 wrote to memory of 5028	3508	userinit.exe	110
PID 3508 wrote to memory of 2384	3508	userinit.exe	111
PID 3508 wrote to memory of 2384	3508	userinit.exe	111
PID 3508 wrote to memory of 2384	3508	userinit.exe	111
PID 3508 wrote to memory of 2964	3508	userinit.exe	112
PID 3508 wrote to memory of 2964	3508	userinit.exe	112
PID 3508 wrote to memory of 2964	3508	userinit.exe	112
PID 3508 wrote to memory of 2128	3508	userinit.exe	113
PID 3508 wrote to memory of 2128	3508	userinit.exe	113
PID 3508 wrote to memory of 2128	3508	userinit.exe	113
PID 3508 wrote to memory of 4696	3508	userinit.exe	114
PID 3508 wrote to memory of 4696	3508	userinit.exe	114
PID 3508 wrote to memory of 4696	3508	userinit.exe	114
PID 3508 wrote to memory of 4308	3508	userinit.exe	115

C:\Users\Admin\AppData\Local\Temp\8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8420cde966094a4165ed5f6160fee8b5_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
80KB

MD5
8420cde966094a4165ed5f6160fee8b5

SHA1
55129d9f051acb7d7dc78135eeb1afb17d07bfa9

SHA256
3cb4cf39fd42e256a8fdeaf83e50c006e5f1ad4da80592c0ce5c281bb05f80c2

SHA512
1d180acf9058c87576ef5c38fc57086eeb0ca04c738134e0ad70a69409b1bf3010a6a32d06b541a65c550bbce738c40c5f802c21597b0921fbfc2d0056fc32b4

Download Submit
memory/244-162-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/312-277-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/312-273-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/640-440-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/812-367-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/864-579-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/968-487-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/996-25-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/996-29-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1012-598-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1224-74-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1288-265-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1380-250-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1400-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1400-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1400-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1476-656-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1592-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-230-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1676-287-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1720-199-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1720-91-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1820-157-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1828-701-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1924-619-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1952-377-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1988-512-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1988-245-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1996-557-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2012-397-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2040-189-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2128-126-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2240-523-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2272-666-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2280-724-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2308-624-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2308-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2384-116-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-106-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-507-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2500-38-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2500-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2500-42-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2636-307-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-642-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-240-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-380-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-383-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2688-477-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2748-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2772-416-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2772-270-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2780-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2792-651-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-588-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2952-528-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2952-688-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2964-121-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3000-569-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3024-468-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3056-235-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3140-719-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3140-482-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3364-411-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3380-336-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3384-255-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3412-194-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3436-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3444-714-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3488-449-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3508-76-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3508-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3508-12-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3508-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3588-574-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3608-547-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3628-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3740-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3740-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3740-32-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3768-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3816-312-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3840-297-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3848-209-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3848-101-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3852-260-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3856-147-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3864-458-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4020-593-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4024-699-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4048-317-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4076-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4092-518-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4148-330-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4148-325-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4156-689-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4156-694-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4160-614-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4160-609-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4304-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4308-137-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4344-492-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4424-86-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4436-347-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4440-607-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4480-435-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4480-683-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4592-746-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4608-426-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4628-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4640-142-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4644-282-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4696-132-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4708-552-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4728-741-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-629-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4800-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4800-179-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4824-542-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4884-172-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4896-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4896-44-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4912-214-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4928-77-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4928-81-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4984-497-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5028-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5028-353-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5028-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5052-564-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5052-54-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5052-50-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/5052-559-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5064-59-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5084-537-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5108-219-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download