0ef0aaa64b2f013d6acddbed59684558bc5f34855159cbc12c098cc4072f45b8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
Size

746KB
MD5

d1c10ac6988580a48b5a4b0ff4ec1298
SHA1

bc780cb6a81a9eea7e64dc0df9c865ab720f84b8
SHA256

0ef0aaa64b2f013d6acddbed59684558bc5f34855159cbc12c098cc4072f45b8
SHA512

95b050bd72dea6758c9c77e52536c8bb10e8de03ff99e9c89044b6f456d8e3795b47f514c69f7681dd1743b8b3200eb3818945e2d8c4d9594e497b86af72797f
SSDEEP

12288:gvehvlYuXb6cK4QJrr186amIWge+RCQdyIMA65xb/T+ZXmwWE43LY/g5Bx:gvehviuXbZKXJrr186amIWgVRFyIMX5F

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
936	userinit.exe
3168	system.exe
4028	system.exe
1872	system.exe
1648	system.exe
3412	system.exe
4784	system.exe
2772	system.exe
4852	system.exe
384	system.exe
3320	system.exe
4932	system.exe
1908	system.exe
3492	system.exe
1128	system.exe
3460	system.exe
4864	system.exe
3484	system.exe
3892	system.exe
4356	system.exe
4704	system.exe
876	system.exe
2984	system.exe
4044	system.exe
4772	system.exe
3028	system.exe
772	system.exe
400	system.exe
4844	system.exe
3528	system.exe
2216	system.exe
3148	system.exe
1872	system.exe
844	system.exe
1376	system.exe
4660	system.exe
4128	system.exe
3348	system.exe
3568	system.exe
1332	system.exe
1908	system.exe
2468	system.exe
4788	system.exe
2124	system.exe
4316	system.exe
968	system.exe
680	system.exe
1952	system.exe
3448	system.exe
876	system.exe
2676	system.exe
1260	system.exe
3980	system.exe
3028	system.exe
4328	system.exe
3984	system.exe
2856	system.exe
3284	system.exe
3428	system.exe
2952	system.exe
3084	system.exe
2092	system.exe
4372	system.exe
2192	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4108	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
4108	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
936	userinit.exe
936	userinit.exe
936	userinit.exe
936	userinit.exe
3168	system.exe
3168	system.exe
936	userinit.exe
936	userinit.exe
4028	system.exe
4028	system.exe
936	userinit.exe
936	userinit.exe
1872	system.exe
1872	system.exe
936	userinit.exe
936	userinit.exe
1648	system.exe
1648	system.exe
936	userinit.exe
936	userinit.exe
3412	system.exe
3412	system.exe
936	userinit.exe
936	userinit.exe
4784	system.exe
4784	system.exe
936	userinit.exe
936	userinit.exe
2772	system.exe
2772	system.exe
936	userinit.exe
936	userinit.exe
4852	system.exe
4852	system.exe
936	userinit.exe
936	userinit.exe
384	system.exe
384	system.exe
936	userinit.exe
936	userinit.exe
3320	system.exe
3320	system.exe
936	userinit.exe
936	userinit.exe
4932	system.exe
4932	system.exe
936	userinit.exe
936	userinit.exe
1908	system.exe
1908	system.exe
936	userinit.exe
936	userinit.exe
3492	system.exe
3492	system.exe
936	userinit.exe
936	userinit.exe
1128	system.exe
1128	system.exe
936	userinit.exe
936	userinit.exe
3460	system.exe
3460	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
936	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4108	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
4108	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
936	userinit.exe
936	userinit.exe
3168	system.exe
3168	system.exe
4028	system.exe
4028	system.exe
1872	system.exe
1872	system.exe
1648	system.exe
1648	system.exe
3412	system.exe
3412	system.exe
4784	system.exe
4784	system.exe
2772	system.exe
2772	system.exe
4852	system.exe
4852	system.exe
384	system.exe
384	system.exe
3320	system.exe
3320	system.exe
4932	system.exe
4932	system.exe
1908	system.exe
1908	system.exe
3492	system.exe
3492	system.exe
1128	system.exe
1128	system.exe
3460	system.exe
3460	system.exe
4864	system.exe
4864	system.exe
3484	system.exe
3484	system.exe
3892	system.exe
3892	system.exe
4356	system.exe
4356	system.exe
4704	system.exe
4704	system.exe
876	system.exe
876	system.exe
2984	system.exe
2984	system.exe
4044	system.exe
4044	system.exe
4772	system.exe
4772	system.exe
3028	system.exe
3028	system.exe
772	system.exe
772	system.exe
400	system.exe
400	system.exe
4844	system.exe
4844	system.exe
3528	system.exe
3528	system.exe
2216	system.exe
2216	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 936	4108	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe	86
PID 4108 wrote to memory of 936	4108	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe	86
PID 4108 wrote to memory of 936	4108	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe	86
PID 936 wrote to memory of 3168	936	userinit.exe	89
PID 936 wrote to memory of 3168	936	userinit.exe	89
PID 936 wrote to memory of 3168	936	userinit.exe	89
PID 936 wrote to memory of 4028	936	userinit.exe	91
PID 936 wrote to memory of 4028	936	userinit.exe	91
PID 936 wrote to memory of 4028	936	userinit.exe	91
PID 936 wrote to memory of 1872	936	userinit.exe	92
PID 936 wrote to memory of 1872	936	userinit.exe	92
PID 936 wrote to memory of 1872	936	userinit.exe	92
PID 936 wrote to memory of 1648	936	userinit.exe	93
PID 936 wrote to memory of 1648	936	userinit.exe	93
PID 936 wrote to memory of 1648	936	userinit.exe	93
PID 936 wrote to memory of 3412	936	userinit.exe	94
PID 936 wrote to memory of 3412	936	userinit.exe	94
PID 936 wrote to memory of 3412	936	userinit.exe	94
PID 936 wrote to memory of 4784	936	userinit.exe	95
PID 936 wrote to memory of 4784	936	userinit.exe	95
PID 936 wrote to memory of 4784	936	userinit.exe	95
PID 936 wrote to memory of 2772	936	userinit.exe	96
PID 936 wrote to memory of 2772	936	userinit.exe	96
PID 936 wrote to memory of 2772	936	userinit.exe	96
PID 936 wrote to memory of 4852	936	userinit.exe	97
PID 936 wrote to memory of 4852	936	userinit.exe	97
PID 936 wrote to memory of 4852	936	userinit.exe	97
PID 936 wrote to memory of 384	936	userinit.exe	98
PID 936 wrote to memory of 384	936	userinit.exe	98
PID 936 wrote to memory of 384	936	userinit.exe	98
PID 936 wrote to memory of 3320	936	userinit.exe	99
PID 936 wrote to memory of 3320	936	userinit.exe	99
PID 936 wrote to memory of 3320	936	userinit.exe	99
PID 936 wrote to memory of 4932	936	userinit.exe	100
PID 936 wrote to memory of 4932	936	userinit.exe	100
PID 936 wrote to memory of 4932	936	userinit.exe	100
PID 936 wrote to memory of 1908	936	userinit.exe	101
PID 936 wrote to memory of 1908	936	userinit.exe	101
PID 936 wrote to memory of 1908	936	userinit.exe	101
PID 936 wrote to memory of 3492	936	userinit.exe	102
PID 936 wrote to memory of 3492	936	userinit.exe	102
PID 936 wrote to memory of 3492	936	userinit.exe	102
PID 936 wrote to memory of 1128	936	userinit.exe	103
PID 936 wrote to memory of 1128	936	userinit.exe	103
PID 936 wrote to memory of 1128	936	userinit.exe	103
PID 936 wrote to memory of 3460	936	userinit.exe	104
PID 936 wrote to memory of 3460	936	userinit.exe	104
PID 936 wrote to memory of 3460	936	userinit.exe	104
PID 936 wrote to memory of 4864	936	userinit.exe	105
PID 936 wrote to memory of 4864	936	userinit.exe	105
PID 936 wrote to memory of 4864	936	userinit.exe	105
PID 936 wrote to memory of 3484	936	userinit.exe	106
PID 936 wrote to memory of 3484	936	userinit.exe	106
PID 936 wrote to memory of 3484	936	userinit.exe	106
PID 936 wrote to memory of 3892	936	userinit.exe	107
PID 936 wrote to memory of 3892	936	userinit.exe	107
PID 936 wrote to memory of 3892	936	userinit.exe	107
PID 936 wrote to memory of 4356	936	userinit.exe	108
PID 936 wrote to memory of 4356	936	userinit.exe	108
PID 936 wrote to memory of 4356	936	userinit.exe	108
PID 936 wrote to memory of 4704	936	userinit.exe	109
PID 936 wrote to memory of 4704	936	userinit.exe	109
PID 936 wrote to memory of 4704	936	userinit.exe	109
PID 936 wrote to memory of 876	936	userinit.exe	110

C:\Users\Admin\AppData\Local\Temp\d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
746KB

MD5
d1c10ac6988580a48b5a4b0ff4ec1298

SHA1
bc780cb6a81a9eea7e64dc0df9c865ab720f84b8

SHA256
0ef0aaa64b2f013d6acddbed59684558bc5f34855159cbc12c098cc4072f45b8

SHA512
95b050bd72dea6758c9c77e52536c8bb10e8de03ff99e9c89044b6f456d8e3795b47f514c69f7681dd1743b8b3200eb3818945e2d8c4d9594e497b86af72797f

Download Submit
memory/384-75-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/400-169-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/508-450-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/680-268-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/736-445-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/748-715-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/768-500-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/772-675-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/844-200-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/844-749-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/876-284-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/876-138-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/936-175-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/936-321-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/936-44-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/936-217-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/936-222-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/936-122-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/936-274-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/936-76-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/968-259-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/968-263-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1128-101-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1196-739-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1260-294-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1308-636-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1316-744-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1332-232-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1376-205-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1376-565-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1412-725-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1532-395-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1648-46-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1648-50-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1732-369-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1872-39-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1872-43-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1872-195-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1904-525-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1908-91-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1952-641-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1952-273-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2092-349-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2112-600-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2124-435-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2124-252-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2132-581-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2144-540-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2184-390-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2192-359-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2192-555-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2216-185-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2216-530-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2312-709-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2404-364-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2460-464-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2468-242-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2560-610-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2612-459-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2676-655-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2676-289-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2704-374-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2748-490-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2772-571-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2772-65-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2804-514-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2856-320-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2880-509-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2920-685-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2924-704-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2940-415-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2944-495-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2952-337-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2984-469-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2984-143-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3008-605-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3028-304-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3028-159-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3044-699-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3076-646-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3080-420-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3084-343-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3088-720-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3144-734-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3148-190-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3148-535-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3168-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3168-25-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3168-30-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3284-326-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3312-405-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3320-81-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3348-221-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3380-440-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3412-55-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3448-279-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3460-106-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3484-116-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3492-96-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3524-545-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3528-180-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3568-227-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3892-121-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3980-299-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3984-311-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3984-315-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4028-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4028-37-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4028-32-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4044-148-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4104-690-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4108-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4108-16-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4108-17-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4108-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4128-215-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4188-475-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4208-430-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4208-621-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4316-631-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4316-257-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4328-309-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4356-127-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4360-400-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4372-550-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4372-354-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4392-615-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4420-754-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4516-680-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4572-410-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4584-519-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4660-576-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4660-380-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4660-210-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4704-132-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4728-480-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4772-154-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4772-670-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4784-60-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4788-247-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4832-590-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4844-174-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4852-70-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4864-111-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4932-86-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4952-595-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4988-385-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5036-626-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5052-660-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5072-485-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5088-560-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download