8d569fd43f00b7e277e5665c781c88252956a542525e9204f05020e800961b62

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
Size

68KB
MD5

c0630fa486eab503735b48d6b9f50928
SHA1

e1ae200c9ae0966df4dfc23ec74241706f8d8cdd
SHA256

8d569fd43f00b7e277e5665c781c88252956a542525e9204f05020e800961b62
SHA512

c4d45c22dd30787aa0af48e940140fa1c40783e8f514538407d10370889fce39978f0517a592961549974d6ec5cee5b400e8b281d3f307f65b562bab1fcdea46
SSDEEP

768:BnX7Ag5YxnE+O1dh9EBnr5R+9LOZdU1paOFbMNXVlqf1zBmQzTGfmgyqaq:BnXsXEf1dzwnr5R6869yXmf1zwQVgva

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
4316	userinit.exe
372	system.exe
2288	system.exe
1964	system.exe
4736	system.exe
4940	system.exe
4956	system.exe
2540	system.exe
4628	system.exe
3476	system.exe
2292	system.exe
4920	system.exe
4120	system.exe
4936	system.exe
1152	system.exe
4452	system.exe
540	system.exe
4268	system.exe
4132	system.exe
3688	system.exe
964	system.exe
4776	system.exe
376	system.exe
3348	system.exe
1344	system.exe
2696	system.exe
4020	system.exe
2288	system.exe
1500	system.exe
4904	system.exe
1168	system.exe
4512	system.exe
4444	system.exe
3952	system.exe
4364	system.exe
3688	system.exe
5100	system.exe
4948	system.exe
1032	system.exe
4040	system.exe
3516	system.exe
1692	system.exe
1976	system.exe
820	system.exe
3736	system.exe
3456	system.exe
368	system.exe
3636	system.exe
4756	system.exe
468	system.exe
2528	system.exe
540	system.exe
3208	system.exe
2076	system.exe
3928	system.exe
3388	system.exe
4604	system.exe
3664	system.exe
4784	system.exe
4408	system.exe
876	system.exe
2144	system.exe
2304	system.exe
4556	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3920	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
3920	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
4316	userinit.exe
4316	userinit.exe
4316	userinit.exe
4316	userinit.exe
372	system.exe
372	system.exe
4316	userinit.exe
4316	userinit.exe
2288	system.exe
2288	system.exe
4316	userinit.exe
4316	userinit.exe
1964	system.exe
1964	system.exe
4316	userinit.exe
4316	userinit.exe
4736	system.exe
4736	system.exe
4316	userinit.exe
4316	userinit.exe
4940	system.exe
4940	system.exe
4316	userinit.exe
4316	userinit.exe
4956	system.exe
4956	system.exe
4316	userinit.exe
4316	userinit.exe
2540	system.exe
2540	system.exe
4316	userinit.exe
4316	userinit.exe
4628	system.exe
4628	system.exe
4316	userinit.exe
4316	userinit.exe
3476	system.exe
3476	system.exe
4316	userinit.exe
4316	userinit.exe
2292	system.exe
2292	system.exe
4316	userinit.exe
4316	userinit.exe
4920	system.exe
4920	system.exe
4316	userinit.exe
4316	userinit.exe
4120	system.exe
4120	system.exe
4316	userinit.exe
4316	userinit.exe
4936	system.exe
4936	system.exe
4316	userinit.exe
4316	userinit.exe
1152	system.exe
1152	system.exe
4316	userinit.exe
4316	userinit.exe
4452	system.exe
4452	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4316	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3920	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
3920	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
4316	userinit.exe
4316	userinit.exe
372	system.exe
372	system.exe
2288	system.exe
2288	system.exe
1964	system.exe
1964	system.exe
4736	system.exe
4736	system.exe
4940	system.exe
4940	system.exe
4956	system.exe
4956	system.exe
2540	system.exe
2540	system.exe
4628	system.exe
4628	system.exe
3476	system.exe
3476	system.exe
2292	system.exe
2292	system.exe
4920	system.exe
4920	system.exe
4120	system.exe
4120	system.exe
4936	system.exe
4936	system.exe
1152	system.exe
1152	system.exe
4452	system.exe
4452	system.exe
540	system.exe
540	system.exe
4268	system.exe
4268	system.exe
3688	system.exe
3688	system.exe
964	system.exe
964	system.exe
4776	system.exe
4776	system.exe
376	system.exe
376	system.exe
3348	system.exe
3348	system.exe
1344	system.exe
1344	system.exe
2696	system.exe
2696	system.exe
4020	system.exe
4020	system.exe
2288	system.exe
2288	system.exe
1500	system.exe
1500	system.exe
4904	system.exe
4904	system.exe
1168	system.exe
1168	system.exe
4512	system.exe
4512	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 4316	3920	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe	86
PID 3920 wrote to memory of 4316	3920	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe	86
PID 3920 wrote to memory of 4316	3920	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe	86
PID 4316 wrote to memory of 372	4316	userinit.exe	88
PID 4316 wrote to memory of 372	4316	userinit.exe	88
PID 4316 wrote to memory of 372	4316	userinit.exe	88
PID 4316 wrote to memory of 2288	4316	userinit.exe	89
PID 4316 wrote to memory of 2288	4316	userinit.exe	89
PID 4316 wrote to memory of 2288	4316	userinit.exe	89
PID 4316 wrote to memory of 1964	4316	userinit.exe	92
PID 4316 wrote to memory of 1964	4316	userinit.exe	92
PID 4316 wrote to memory of 1964	4316	userinit.exe	92
PID 4316 wrote to memory of 4736	4316	userinit.exe	95
PID 4316 wrote to memory of 4736	4316	userinit.exe	95
PID 4316 wrote to memory of 4736	4316	userinit.exe	95
PID 4316 wrote to memory of 4940	4316	userinit.exe	96
PID 4316 wrote to memory of 4940	4316	userinit.exe	96
PID 4316 wrote to memory of 4940	4316	userinit.exe	96
PID 4316 wrote to memory of 4956	4316	userinit.exe	97
PID 4316 wrote to memory of 4956	4316	userinit.exe	97
PID 4316 wrote to memory of 4956	4316	userinit.exe	97
PID 4316 wrote to memory of 2540	4316	userinit.exe	99
PID 4316 wrote to memory of 2540	4316	userinit.exe	99
PID 4316 wrote to memory of 2540	4316	userinit.exe	99
PID 4316 wrote to memory of 4628	4316	userinit.exe	100
PID 4316 wrote to memory of 4628	4316	userinit.exe	100
PID 4316 wrote to memory of 4628	4316	userinit.exe	100
PID 4316 wrote to memory of 3476	4316	userinit.exe	101
PID 4316 wrote to memory of 3476	4316	userinit.exe	101
PID 4316 wrote to memory of 3476	4316	userinit.exe	101
PID 4316 wrote to memory of 2292	4316	userinit.exe	104
PID 4316 wrote to memory of 2292	4316	userinit.exe	104
PID 4316 wrote to memory of 2292	4316	userinit.exe	104
PID 4316 wrote to memory of 4920	4316	userinit.exe	105
PID 4316 wrote to memory of 4920	4316	userinit.exe	105
PID 4316 wrote to memory of 4920	4316	userinit.exe	105
PID 4316 wrote to memory of 4120	4316	userinit.exe	106
PID 4316 wrote to memory of 4120	4316	userinit.exe	106
PID 4316 wrote to memory of 4120	4316	userinit.exe	106
PID 4316 wrote to memory of 4936	4316	userinit.exe	107
PID 4316 wrote to memory of 4936	4316	userinit.exe	107
PID 4316 wrote to memory of 4936	4316	userinit.exe	107
PID 4316 wrote to memory of 1152	4316	userinit.exe	108
PID 4316 wrote to memory of 1152	4316	userinit.exe	108
PID 4316 wrote to memory of 1152	4316	userinit.exe	108
PID 4316 wrote to memory of 4452	4316	userinit.exe	109
PID 4316 wrote to memory of 4452	4316	userinit.exe	109
PID 4316 wrote to memory of 4452	4316	userinit.exe	109
PID 4316 wrote to memory of 540	4316	userinit.exe	110
PID 4316 wrote to memory of 540	4316	userinit.exe	110
PID 4316 wrote to memory of 540	4316	userinit.exe	110
PID 4316 wrote to memory of 4268	4316	userinit.exe	111
PID 4316 wrote to memory of 4268	4316	userinit.exe	111
PID 4316 wrote to memory of 4268	4316	userinit.exe	111
PID 4316 wrote to memory of 4132	4316	userinit.exe	112
PID 4316 wrote to memory of 4132	4316	userinit.exe	112
PID 4316 wrote to memory of 4132	4316	userinit.exe	112
PID 4316 wrote to memory of 3688	4316	userinit.exe	113
PID 4316 wrote to memory of 3688	4316	userinit.exe	113
PID 4316 wrote to memory of 3688	4316	userinit.exe	113
PID 4316 wrote to memory of 964	4316	userinit.exe	114
PID 4316 wrote to memory of 964	4316	userinit.exe	114
PID 4316 wrote to memory of 964	4316	userinit.exe	114
PID 4316 wrote to memory of 4776	4316	userinit.exe	115

C:\Users\Admin\AppData\Local\Temp\c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
68KB

MD5
c0630fa486eab503735b48d6b9f50928

SHA1
e1ae200c9ae0966df4dfc23ec74241706f8d8cdd

SHA256
8d569fd43f00b7e277e5665c781c88252956a542525e9204f05020e800961b62

SHA512
c4d45c22dd30787aa0af48e940140fa1c40783e8f514538407d10370889fce39978f0517a592961549974d6ec5cee5b400e8b281d3f307f65b562bab1fcdea46

Download Submit
memory/8-626-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/368-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/372-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/372-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/372-25-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/376-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/440-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/540-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/540-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/684-568-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/712-435-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/820-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/820-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/944-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/964-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/968-563-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-529-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1120-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1152-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1152-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-182-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1300-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-649-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-509-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1832-675-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1920-573-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-42-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-43-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1976-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2076-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2076-607-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-742-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2100-469-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2248-728-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-37-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2288-32-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2288-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-165-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2304-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-597-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2528-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2532-737-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2540-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2540-543-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-655-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2640-670-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2692-714-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-155-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-475-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-583-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-454-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-602-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3388-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3392-693-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3444-504-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3476-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3584-524-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3584-709-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3636-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3664-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3688-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3688-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3736-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3816-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3920-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3920-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3920-613-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3920-17-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3920-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3928-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4020-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-538-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4044-444-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4120-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4132-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4132-486-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4172-723-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4180-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4192-660-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4268-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-704-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4288-499-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4296-464-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-76-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4364-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4368-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4444-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4488-459-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4556-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4620-578-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4660-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-519-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-45-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4756-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4776-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4784-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-553-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4896-480-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4896-644-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4940-55-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4940-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4960-548-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-588-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4988-639-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-698-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-665-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5092-688-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5100-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download