2430d040cac8edbdcf457f346ed497f7ebb471e63149869b91625dbb3af32d7e

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
Size

233KB
MD5

aa22e04e78d0e84fa7d1bbdd6b15388b
SHA1

4e66da9e2a67241deb0b8dec02b82822db932dc5
SHA256

2430d040cac8edbdcf457f346ed497f7ebb471e63149869b91625dbb3af32d7e
SHA512

0f43d5e11ee5f199db91c42250c81311089bd105c7432aefdd22a2fd04eca6d6d05afb6fb082d7afa21680c220b66d54528236a770339eb493077b88db065107
SSDEEP

1536:qf1zwQVgon/3zeQplOQTO1OdB3923jpTf1zwQVgvw8UBgd:S1zwLe/3zeQLTrdB3Ip71zwLvwV

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
5036	userinit.exe
1536	system.exe
4272	system.exe
2584	system.exe
4672	system.exe
4592	system.exe
4856	system.exe
2436	system.exe
4452	system.exe
2820	system.exe
2872	system.exe
3976	system.exe
4684	system.exe
4884	system.exe
3292	system.exe
3696	system.exe
2616	system.exe
1692	system.exe
3916	system.exe
4340	system.exe
4796	system.exe
4312	system.exe
1956	system.exe
2660	system.exe
4652	system.exe
2088	system.exe
2864	system.exe
3076	system.exe
5108	system.exe
2600	system.exe
1504	system.exe
3212	system.exe
1824	system.exe
3012	system.exe
4884	system.exe
3292	system.exe
856	system.exe
3868	system.exe
1316	system.exe
3472	system.exe
1632	system.exe
1272	system.exe
4472	system.exe
1536	system.exe
4996	system.exe
3176	system.exe
4092	system.exe
3244	system.exe
4272	system.exe
1092	system.exe
2560	system.exe
2160	system.exe
4344	system.exe
3060	system.exe
4008	system.exe
2036	system.exe
4624	system.exe
5044	system.exe
4452	system.exe
1668	system.exe
1456	system.exe
2788	system.exe
4660	system.exe
1556	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1316	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
1316	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
5036	userinit.exe
5036	userinit.exe
5036	userinit.exe
5036	userinit.exe
1536	system.exe
1536	system.exe
5036	userinit.exe
5036	userinit.exe
4272	system.exe
4272	system.exe
5036	userinit.exe
5036	userinit.exe
2584	system.exe
2584	system.exe
5036	userinit.exe
5036	userinit.exe
4672	system.exe
4672	system.exe
5036	userinit.exe
5036	userinit.exe
4592	system.exe
4592	system.exe
5036	userinit.exe
5036	userinit.exe
4856	system.exe
4856	system.exe
5036	userinit.exe
5036	userinit.exe
2436	system.exe
2436	system.exe
5036	userinit.exe
5036	userinit.exe
4452	system.exe
4452	system.exe
5036	userinit.exe
5036	userinit.exe
2820	system.exe
2820	system.exe
5036	userinit.exe
5036	userinit.exe
2872	system.exe
2872	system.exe
5036	userinit.exe
5036	userinit.exe
3976	system.exe
3976	system.exe
5036	userinit.exe
5036	userinit.exe
4684	system.exe
4684	system.exe
5036	userinit.exe
5036	userinit.exe
4884	system.exe
4884	system.exe
5036	userinit.exe
5036	userinit.exe
3292	system.exe
3292	system.exe
5036	userinit.exe
5036	userinit.exe
3696	system.exe
3696	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5036	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1316	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
1316	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
5036	userinit.exe
5036	userinit.exe
1536	system.exe
1536	system.exe
4272	system.exe
4272	system.exe
2584	system.exe
2584	system.exe
4672	system.exe
4672	system.exe
4592	system.exe
4592	system.exe
4856	system.exe
4856	system.exe
2436	system.exe
2436	system.exe
4452	system.exe
4452	system.exe
2820	system.exe
2820	system.exe
2872	system.exe
2872	system.exe
3976	system.exe
3976	system.exe
4684	system.exe
4684	system.exe
4884	system.exe
4884	system.exe
3292	system.exe
3292	system.exe
3696	system.exe
3696	system.exe
2616	system.exe
2616	system.exe
1692	system.exe
1692	system.exe
3916	system.exe
3916	system.exe
4340	system.exe
4340	system.exe
4796	system.exe
4796	system.exe
4312	system.exe
4312	system.exe
1956	system.exe
1956	system.exe
2660	system.exe
2660	system.exe
4652	system.exe
4652	system.exe
2088	system.exe
2088	system.exe
2864	system.exe
2864	system.exe
3076	system.exe
3076	system.exe
5108	system.exe
5108	system.exe
2600	system.exe
2600	system.exe
1504	system.exe
1504	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 5036	1316	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe	84
PID 1316 wrote to memory of 5036	1316	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe	84
PID 1316 wrote to memory of 5036	1316	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe	84
PID 5036 wrote to memory of 1536	5036	userinit.exe	88
PID 5036 wrote to memory of 1536	5036	userinit.exe	88
PID 5036 wrote to memory of 1536	5036	userinit.exe	88
PID 5036 wrote to memory of 4272	5036	userinit.exe	90
PID 5036 wrote to memory of 4272	5036	userinit.exe	90
PID 5036 wrote to memory of 4272	5036	userinit.exe	90
PID 5036 wrote to memory of 2584	5036	userinit.exe	91
PID 5036 wrote to memory of 2584	5036	userinit.exe	91
PID 5036 wrote to memory of 2584	5036	userinit.exe	91
PID 5036 wrote to memory of 4672	5036	userinit.exe	92
PID 5036 wrote to memory of 4672	5036	userinit.exe	92
PID 5036 wrote to memory of 4672	5036	userinit.exe	92
PID 5036 wrote to memory of 4592	5036	userinit.exe	93
PID 5036 wrote to memory of 4592	5036	userinit.exe	93
PID 5036 wrote to memory of 4592	5036	userinit.exe	93
PID 5036 wrote to memory of 4856	5036	userinit.exe	96
PID 5036 wrote to memory of 4856	5036	userinit.exe	96
PID 5036 wrote to memory of 4856	5036	userinit.exe	96
PID 5036 wrote to memory of 2436	5036	userinit.exe	99
PID 5036 wrote to memory of 2436	5036	userinit.exe	99
PID 5036 wrote to memory of 2436	5036	userinit.exe	99
PID 5036 wrote to memory of 4452	5036	userinit.exe	100
PID 5036 wrote to memory of 4452	5036	userinit.exe	100
PID 5036 wrote to memory of 4452	5036	userinit.exe	100
PID 5036 wrote to memory of 2820	5036	userinit.exe	101
PID 5036 wrote to memory of 2820	5036	userinit.exe	101
PID 5036 wrote to memory of 2820	5036	userinit.exe	101
PID 5036 wrote to memory of 2872	5036	userinit.exe	103
PID 5036 wrote to memory of 2872	5036	userinit.exe	103
PID 5036 wrote to memory of 2872	5036	userinit.exe	103
PID 5036 wrote to memory of 3976	5036	userinit.exe	104
PID 5036 wrote to memory of 3976	5036	userinit.exe	104
PID 5036 wrote to memory of 3976	5036	userinit.exe	104
PID 5036 wrote to memory of 4684	5036	userinit.exe	106
PID 5036 wrote to memory of 4684	5036	userinit.exe	106
PID 5036 wrote to memory of 4684	5036	userinit.exe	106
PID 5036 wrote to memory of 4884	5036	userinit.exe	108
PID 5036 wrote to memory of 4884	5036	userinit.exe	108
PID 5036 wrote to memory of 4884	5036	userinit.exe	108
PID 5036 wrote to memory of 3292	5036	userinit.exe	109
PID 5036 wrote to memory of 3292	5036	userinit.exe	109
PID 5036 wrote to memory of 3292	5036	userinit.exe	109
PID 5036 wrote to memory of 3696	5036	userinit.exe	110
PID 5036 wrote to memory of 3696	5036	userinit.exe	110
PID 5036 wrote to memory of 3696	5036	userinit.exe	110
PID 5036 wrote to memory of 2616	5036	userinit.exe	111
PID 5036 wrote to memory of 2616	5036	userinit.exe	111
PID 5036 wrote to memory of 2616	5036	userinit.exe	111
PID 5036 wrote to memory of 1692	5036	userinit.exe	112
PID 5036 wrote to memory of 1692	5036	userinit.exe	112
PID 5036 wrote to memory of 1692	5036	userinit.exe	112
PID 5036 wrote to memory of 3916	5036	userinit.exe	113
PID 5036 wrote to memory of 3916	5036	userinit.exe	113
PID 5036 wrote to memory of 3916	5036	userinit.exe	113
PID 5036 wrote to memory of 4340	5036	userinit.exe	114
PID 5036 wrote to memory of 4340	5036	userinit.exe	114
PID 5036 wrote to memory of 4340	5036	userinit.exe	114
PID 5036 wrote to memory of 4796	5036	userinit.exe	115
PID 5036 wrote to memory of 4796	5036	userinit.exe	115
PID 5036 wrote to memory of 4796	5036	userinit.exe	115
PID 5036 wrote to memory of 4312	5036	userinit.exe	116

C:\Users\Admin\AppData\Local\Temp\aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
233KB

MD5
aa22e04e78d0e84fa7d1bbdd6b15388b

SHA1
4e66da9e2a67241deb0b8dec02b82822db932dc5

SHA256
2430d040cac8edbdcf457f346ed497f7ebb471e63149869b91625dbb3af32d7e

SHA512
0f43d5e11ee5f199db91c42250c81311089bd105c7432aefdd22a2fd04eca6d6d05afb6fb082d7afa21680c220b66d54528236a770339eb493077b88db065107

Download Submit
memory/228-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/856-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1092-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1224-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1456-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1472-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1504-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1824-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2180-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2864-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3060-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-155-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-195-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3388-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3528-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3692-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3868-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3916-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3916-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3968-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3976-74-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4136-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4272-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4272-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4312-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4344-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4672-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4672-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4684-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4996-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5108-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download