ada27e7c13d4e381025cd84c44431eda399bb2d4e808cadfd8b842e47b9d83c1

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
Size

71KB
MD5

8eb0a3a616f58e9075774764357c6ab7
SHA1

58379870ff54e6abb0f0c17771fb94df22ef49ba
SHA256

ada27e7c13d4e381025cd84c44431eda399bb2d4e808cadfd8b842e47b9d83c1
SHA512

ff9b388058aa6c18ff4f2eec0d98dd055a0dbb3596c9d6bd76830d547e024ffed47b30ad2800f6a15e21b11006a03201b1d195325edbd1d37aaf1d88d9fcd7f3
SSDEEP

768:paCaB044YAHIiSkrzzx0iDTOtMxZI5C8w/f1zBmQzTGfmgyq6zU:IC0OMcamTaWf1zwQVgv6I

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
1276	userinit.exe
3676	system.exe
4280	system.exe
1616	system.exe
2172	system.exe
4408	system.exe
2512	system.exe
3312	system.exe
4004	system.exe
3124	system.exe
1044	system.exe
1052	system.exe
2448	system.exe
4768	system.exe
4468	system.exe
1848	system.exe
3128	system.exe
3812	system.exe
2336	system.exe
2324	system.exe
552	system.exe
3904	system.exe
1596	system.exe
2084	system.exe
1960	system.exe
4864	system.exe
4800	system.exe
2932	system.exe
2664	system.exe
1732	system.exe
1040	system.exe
3436	system.exe
2088	system.exe
4256	system.exe
3692	system.exe
4824	system.exe
2696	system.exe
3336	system.exe
4248	system.exe
3952	system.exe
2864	system.exe
3524	system.exe
3584	system.exe
4896	system.exe
8	system.exe
3020	system.exe
1504	system.exe
4356	system.exe
4212	system.exe
932	system.exe
2076	system.exe
1960	system.exe
3352	system.exe
3832	system.exe
5028	system.exe
4580	system.exe
3632	system.exe
3844	system.exe
2268	system.exe
1944	system.exe
4044	system.exe
4976	system.exe
4892	system.exe
1776	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
1624	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
1276	userinit.exe
1276	userinit.exe
1276	userinit.exe
1276	userinit.exe
3676	system.exe
3676	system.exe
1276	userinit.exe
1276	userinit.exe
4280	system.exe
4280	system.exe
1276	userinit.exe
1276	userinit.exe
1616	system.exe
1616	system.exe
1276	userinit.exe
1276	userinit.exe
2172	system.exe
2172	system.exe
1276	userinit.exe
1276	userinit.exe
4408	system.exe
4408	system.exe
1276	userinit.exe
1276	userinit.exe
2512	system.exe
2512	system.exe
1276	userinit.exe
1276	userinit.exe
3312	system.exe
3312	system.exe
1276	userinit.exe
1276	userinit.exe
4004	system.exe
4004	system.exe
1276	userinit.exe
1276	userinit.exe
3124	system.exe
3124	system.exe
1276	userinit.exe
1276	userinit.exe
1044	system.exe
1044	system.exe
1276	userinit.exe
1276	userinit.exe
1052	system.exe
1052	system.exe
1276	userinit.exe
1276	userinit.exe
2448	system.exe
2448	system.exe
1276	userinit.exe
1276	userinit.exe
4768	system.exe
4768	system.exe
1276	userinit.exe
1276	userinit.exe
4468	system.exe
4468	system.exe
1276	userinit.exe
1276	userinit.exe
1848	system.exe
1848	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1276	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1624	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
1624	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
1276	userinit.exe
1276	userinit.exe
3676	system.exe
3676	system.exe
4280	system.exe
4280	system.exe
1616	system.exe
1616	system.exe
2172	system.exe
2172	system.exe
4408	system.exe
4408	system.exe
2512	system.exe
2512	system.exe
3312	system.exe
3312	system.exe
4004	system.exe
4004	system.exe
3124	system.exe
3124	system.exe
1044	system.exe
1044	system.exe
1052	system.exe
1052	system.exe
2448	system.exe
2448	system.exe
4768	system.exe
4768	system.exe
4468	system.exe
4468	system.exe
1848	system.exe
1848	system.exe
3128	system.exe
3128	system.exe
3812	system.exe
3812	system.exe
2336	system.exe
2336	system.exe
2324	system.exe
2324	system.exe
552	system.exe
552	system.exe
3904	system.exe
3904	system.exe
1596	system.exe
1596	system.exe
2084	system.exe
2084	system.exe
1960	system.exe
1960	system.exe
4864	system.exe
4864	system.exe
4800	system.exe
4800	system.exe
2932	system.exe
2932	system.exe
2664	system.exe
2664	system.exe
1732	system.exe
1732	system.exe
1040	system.exe
1040	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1276	1624	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe	84
PID 1624 wrote to memory of 1276	1624	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe	84
PID 1624 wrote to memory of 1276	1624	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe	84
PID 1276 wrote to memory of 3676	1276	userinit.exe	88
PID 1276 wrote to memory of 3676	1276	userinit.exe	88
PID 1276 wrote to memory of 3676	1276	userinit.exe	88
PID 1276 wrote to memory of 4280	1276	userinit.exe	91
PID 1276 wrote to memory of 4280	1276	userinit.exe	91
PID 1276 wrote to memory of 4280	1276	userinit.exe	91
PID 1276 wrote to memory of 1616	1276	userinit.exe	94
PID 1276 wrote to memory of 1616	1276	userinit.exe	94
PID 1276 wrote to memory of 1616	1276	userinit.exe	94
PID 1276 wrote to memory of 2172	1276	userinit.exe	95
PID 1276 wrote to memory of 2172	1276	userinit.exe	95
PID 1276 wrote to memory of 2172	1276	userinit.exe	95
PID 1276 wrote to memory of 4408	1276	userinit.exe	96
PID 1276 wrote to memory of 4408	1276	userinit.exe	96
PID 1276 wrote to memory of 4408	1276	userinit.exe	96
PID 1276 wrote to memory of 2512	1276	userinit.exe	98
PID 1276 wrote to memory of 2512	1276	userinit.exe	98
PID 1276 wrote to memory of 2512	1276	userinit.exe	98
PID 1276 wrote to memory of 3312	1276	userinit.exe	99
PID 1276 wrote to memory of 3312	1276	userinit.exe	99
PID 1276 wrote to memory of 3312	1276	userinit.exe	99
PID 1276 wrote to memory of 4004	1276	userinit.exe	100
PID 1276 wrote to memory of 4004	1276	userinit.exe	100
PID 1276 wrote to memory of 4004	1276	userinit.exe	100
PID 1276 wrote to memory of 3124	1276	userinit.exe	102
PID 1276 wrote to memory of 3124	1276	userinit.exe	102
PID 1276 wrote to memory of 3124	1276	userinit.exe	102
PID 1276 wrote to memory of 1044	1276	userinit.exe	103
PID 1276 wrote to memory of 1044	1276	userinit.exe	103
PID 1276 wrote to memory of 1044	1276	userinit.exe	103
PID 1276 wrote to memory of 1052	1276	userinit.exe	104
PID 1276 wrote to memory of 1052	1276	userinit.exe	104
PID 1276 wrote to memory of 1052	1276	userinit.exe	104
PID 1276 wrote to memory of 2448	1276	userinit.exe	106
PID 1276 wrote to memory of 2448	1276	userinit.exe	106
PID 1276 wrote to memory of 2448	1276	userinit.exe	106
PID 1276 wrote to memory of 4768	1276	userinit.exe	107
PID 1276 wrote to memory of 4768	1276	userinit.exe	107
PID 1276 wrote to memory of 4768	1276	userinit.exe	107
PID 1276 wrote to memory of 4468	1276	userinit.exe	108
PID 1276 wrote to memory of 4468	1276	userinit.exe	108
PID 1276 wrote to memory of 4468	1276	userinit.exe	108
PID 1276 wrote to memory of 1848	1276	userinit.exe	109
PID 1276 wrote to memory of 1848	1276	userinit.exe	109
PID 1276 wrote to memory of 1848	1276	userinit.exe	109
PID 1276 wrote to memory of 3128	1276	userinit.exe	110
PID 1276 wrote to memory of 3128	1276	userinit.exe	110
PID 1276 wrote to memory of 3128	1276	userinit.exe	110
PID 1276 wrote to memory of 3812	1276	userinit.exe	111
PID 1276 wrote to memory of 3812	1276	userinit.exe	111
PID 1276 wrote to memory of 3812	1276	userinit.exe	111
PID 1276 wrote to memory of 2336	1276	userinit.exe	112
PID 1276 wrote to memory of 2336	1276	userinit.exe	112
PID 1276 wrote to memory of 2336	1276	userinit.exe	112
PID 1276 wrote to memory of 2324	1276	userinit.exe	113
PID 1276 wrote to memory of 2324	1276	userinit.exe	113
PID 1276 wrote to memory of 2324	1276	userinit.exe	113
PID 1276 wrote to memory of 552	1276	userinit.exe	114
PID 1276 wrote to memory of 552	1276	userinit.exe	114
PID 1276 wrote to memory of 552	1276	userinit.exe	114
PID 1276 wrote to memory of 3904	1276	userinit.exe	115

C:\Users\Admin\AppData\Local\Temp\8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:8
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
71KB

MD5
8eb0a3a616f58e9075774764357c6ab7

SHA1
58379870ff54e6abb0f0c17771fb94df22ef49ba

SHA256
ada27e7c13d4e381025cd84c44431eda399bb2d4e808cadfd8b842e47b9d83c1

SHA512
ff9b388058aa6c18ff4f2eec0d98dd055a0dbb3596c9d6bd76830d547e024ffed47b30ad2800f6a15e21b11006a03201b1d195325edbd1d37aaf1d88d9fcd7f3

Download Submit
memory/8-259-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/448-529-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/552-135-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/776-716-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1040-186-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1044-84-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1052-89-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1108-489-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1116-696-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1276-177-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1276-224-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1276-322-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1276-438-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1276-126-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1276-11-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1276-80-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1276-12-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1372-602-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1416-668-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1504-269-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1588-658-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1588-396-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1596-145-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1616-45-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1616-40-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1616-39-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1624-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1624-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1624-18-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1624-19-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1652-401-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1732-181-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1776-360-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1848-109-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1848-391-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1944-338-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1960-155-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2072-375-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2076-290-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2084-150-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2088-197-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2172-51-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2172-47-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2176-427-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2176-432-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2248-538-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2324-130-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2336-124-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2448-94-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2484-578-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2512-59-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2512-63-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2664-175-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2696-217-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2696-365-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2784-607-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2808-698-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2808-703-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2812-663-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2864-235-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2864-239-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2900-422-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2932-170-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3020-264-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3124-78-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3128-114-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3312-68-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3336-222-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3352-300-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3432-370-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3436-191-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3472-461-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3508-524-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3524-244-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3584-249-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3600-593-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3632-320-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3644-437-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3676-29-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3692-207-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3772-638-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3812-119-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3832-305-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3844-327-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3844-323-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3896-725-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3904-140-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3952-233-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3956-573-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4004-73-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4044-344-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4212-280-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4248-228-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4256-202-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4280-31-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4280-36-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4280-37-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4280-32-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4296-653-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4296-648-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4352-415-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4356-274-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4408-57-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4408-53-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4432-499-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4456-410-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4460-613-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4468-104-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4512-494-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4580-315-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4580-588-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4628-730-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4640-678-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4652-559-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4652-691-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4756-519-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4768-99-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4792-476-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4800-165-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4824-212-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4832-513-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4844-443-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4864-160-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4864-452-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4892-355-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4896-673-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4896-254-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4976-350-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5000-386-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5028-583-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5028-310-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5044-420-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5048-381-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5108-466-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5116-504-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download