a2f31a27fd7dc171dca7479ff0200dfa578365a42f3da3e279bc4c89e8af19db

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe
Size

887KB
MD5

dfcdb72099062e5d65d23b12fe9b1501
SHA1

e7aa9c7712619c511f439d3e61903ca077d7bf9e
SHA256

a2f31a27fd7dc171dca7479ff0200dfa578365a42f3da3e279bc4c89e8af19db
SHA512

037986cce78ce597c92464e83785b48e518aa0635f8860e7628e5a280ee59777b1a84a6aa9dd541c021859e88eee1e8a75395c17621dca136a1d13bbae4c340c
SSDEEP

24576:u+JbZKXJrr186amIWRVRFyIM45x6WK+WhoQXaFZOJ2jP:u+JbQsJJWRg545kWFKTgVjP

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
1664	userinit.exe
3520	system.exe
3512	system.exe
3472	system.exe
4440	system.exe
376	system.exe
1264	system.exe
4380	system.exe
3748	system.exe
3732	system.exe
3516	system.exe
1168	system.exe
4772	system.exe
4876	system.exe
1656	system.exe
2592	system.exe
32	system.exe
4340	system.exe
4344	system.exe
2196	system.exe
524	system.exe
4568	system.exe
2376	system.exe
4840	system.exe
4296	system.exe
3288	system.exe
3860	system.exe
1912	system.exe
3720	system.exe
2956	system.exe
4896	system.exe
4528	system.exe
3512	system.exe
4808	system.exe
3188	system.exe
4764	system.exe
2192	system.exe
2020	system.exe
2992	system.exe
1640	system.exe
3548	system.exe
3124	system.exe
848	system.exe
4972	system.exe
4508	system.exe
1244	system.exe
2528	system.exe
3804	system.exe
996	system.exe
3836	system.exe
2324	system.exe
4800	system.exe
4016	system.exe
3132	system.exe
1400	system.exe
4456	system.exe
4600	system.exe
3224	system.exe
3288	system.exe
2776	system.exe
1300	system.exe
4580	system.exe
1888	system.exe
2860	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4276	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe
4276	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe
1664	userinit.exe
1664	userinit.exe
1664	userinit.exe
1664	userinit.exe
3520	system.exe
3520	system.exe
1664	userinit.exe
1664	userinit.exe
3512	system.exe
3512	system.exe
1664	userinit.exe
1664	userinit.exe
3472	system.exe
3472	system.exe
1664	userinit.exe
1664	userinit.exe
4440	system.exe
4440	system.exe
1664	userinit.exe
1664	userinit.exe
376	system.exe
376	system.exe
1664	userinit.exe
1664	userinit.exe
1264	system.exe
1264	system.exe
1664	userinit.exe
1664	userinit.exe
4380	system.exe
4380	system.exe
1664	userinit.exe
1664	userinit.exe
3748	system.exe
3748	system.exe
1664	userinit.exe
1664	userinit.exe
3732	system.exe
3732	system.exe
1664	userinit.exe
1664	userinit.exe
3516	system.exe
3516	system.exe
1664	userinit.exe
1664	userinit.exe
1168	system.exe
1168	system.exe
1664	userinit.exe
1664	userinit.exe
4772	system.exe
4772	system.exe
1664	userinit.exe
1664	userinit.exe
4876	system.exe
4876	system.exe
1664	userinit.exe
1664	userinit.exe
1656	system.exe
1656	system.exe
1664	userinit.exe
1664	userinit.exe
2592	system.exe
2592	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1664	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4276	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe
4276	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe
1664	userinit.exe
1664	userinit.exe
3520	system.exe
3520	system.exe
3512	system.exe
3512	system.exe
3472	system.exe
3472	system.exe
4440	system.exe
4440	system.exe
376	system.exe
376	system.exe
1264	system.exe
1264	system.exe
4380	system.exe
4380	system.exe
3748	system.exe
3748	system.exe
3732	system.exe
3732	system.exe
3516	system.exe
3516	system.exe
1168	system.exe
1168	system.exe
4772	system.exe
4772	system.exe
4876	system.exe
4876	system.exe
1656	system.exe
1656	system.exe
2592	system.exe
2592	system.exe
32	system.exe
32	system.exe
4340	system.exe
4340	system.exe
4344	system.exe
4344	system.exe
2196	system.exe
2196	system.exe
524	system.exe
524	system.exe
4568	system.exe
4568	system.exe
2376	system.exe
2376	system.exe
4840	system.exe
4840	system.exe
4296	system.exe
4296	system.exe
3288	system.exe
3288	system.exe
3860	system.exe
3860	system.exe
1912	system.exe
1912	system.exe
3720	system.exe
3720	system.exe
2956	system.exe
2956	system.exe
4896	system.exe
4896	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 1664	4276	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe	84
PID 4276 wrote to memory of 1664	4276	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe	84
PID 4276 wrote to memory of 1664	4276	dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe	84
PID 1664 wrote to memory of 3520	1664	userinit.exe	88
PID 1664 wrote to memory of 3520	1664	userinit.exe	88
PID 1664 wrote to memory of 3520	1664	userinit.exe	88
PID 1664 wrote to memory of 3512	1664	userinit.exe	89
PID 1664 wrote to memory of 3512	1664	userinit.exe	89
PID 1664 wrote to memory of 3512	1664	userinit.exe	89
PID 1664 wrote to memory of 3472	1664	userinit.exe	92
PID 1664 wrote to memory of 3472	1664	userinit.exe	92
PID 1664 wrote to memory of 3472	1664	userinit.exe	92
PID 1664 wrote to memory of 4440	1664	userinit.exe	95
PID 1664 wrote to memory of 4440	1664	userinit.exe	95
PID 1664 wrote to memory of 4440	1664	userinit.exe	95
PID 1664 wrote to memory of 376	1664	userinit.exe	96
PID 1664 wrote to memory of 376	1664	userinit.exe	96
PID 1664 wrote to memory of 376	1664	userinit.exe	96
PID 1664 wrote to memory of 1264	1664	userinit.exe	97
PID 1664 wrote to memory of 1264	1664	userinit.exe	97
PID 1664 wrote to memory of 1264	1664	userinit.exe	97
PID 1664 wrote to memory of 4380	1664	userinit.exe	99
PID 1664 wrote to memory of 4380	1664	userinit.exe	99
PID 1664 wrote to memory of 4380	1664	userinit.exe	99
PID 1664 wrote to memory of 3748	1664	userinit.exe	100
PID 1664 wrote to memory of 3748	1664	userinit.exe	100
PID 1664 wrote to memory of 3748	1664	userinit.exe	100
PID 1664 wrote to memory of 3732	1664	userinit.exe	101
PID 1664 wrote to memory of 3732	1664	userinit.exe	101
PID 1664 wrote to memory of 3732	1664	userinit.exe	101
PID 1664 wrote to memory of 3516	1664	userinit.exe	104
PID 1664 wrote to memory of 3516	1664	userinit.exe	104
PID 1664 wrote to memory of 3516	1664	userinit.exe	104
PID 1664 wrote to memory of 1168	1664	userinit.exe	105
PID 1664 wrote to memory of 1168	1664	userinit.exe	105
PID 1664 wrote to memory of 1168	1664	userinit.exe	105
PID 1664 wrote to memory of 4772	1664	userinit.exe	106
PID 1664 wrote to memory of 4772	1664	userinit.exe	106
PID 1664 wrote to memory of 4772	1664	userinit.exe	106
PID 1664 wrote to memory of 4876	1664	userinit.exe	107
PID 1664 wrote to memory of 4876	1664	userinit.exe	107
PID 1664 wrote to memory of 4876	1664	userinit.exe	107
PID 1664 wrote to memory of 1656	1664	userinit.exe	108
PID 1664 wrote to memory of 1656	1664	userinit.exe	108
PID 1664 wrote to memory of 1656	1664	userinit.exe	108
PID 1664 wrote to memory of 2592	1664	userinit.exe	109
PID 1664 wrote to memory of 2592	1664	userinit.exe	109
PID 1664 wrote to memory of 2592	1664	userinit.exe	109
PID 1664 wrote to memory of 32	1664	userinit.exe	110
PID 1664 wrote to memory of 32	1664	userinit.exe	110
PID 1664 wrote to memory of 32	1664	userinit.exe	110
PID 1664 wrote to memory of 4340	1664	userinit.exe	111
PID 1664 wrote to memory of 4340	1664	userinit.exe	111
PID 1664 wrote to memory of 4340	1664	userinit.exe	111
PID 1664 wrote to memory of 4344	1664	userinit.exe	112
PID 1664 wrote to memory of 4344	1664	userinit.exe	112
PID 1664 wrote to memory of 4344	1664	userinit.exe	112
PID 1664 wrote to memory of 2196	1664	userinit.exe	113
PID 1664 wrote to memory of 2196	1664	userinit.exe	113
PID 1664 wrote to memory of 2196	1664	userinit.exe	113
PID 1664 wrote to memory of 524	1664	userinit.exe	114
PID 1664 wrote to memory of 524	1664	userinit.exe	114
PID 1664 wrote to memory of 524	1664	userinit.exe	114
PID 1664 wrote to memory of 4568	1664	userinit.exe	115

C:\Users\Admin\AppData\Local\Temp\dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfcdb72099062e5d65d23b12fe9b1501_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:32
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
887KB

MD5
dfcdb72099062e5d65d23b12fe9b1501

SHA1
e7aa9c7712619c511f439d3e61903ca077d7bf9e

SHA256
a2f31a27fd7dc171dca7479ff0200dfa578365a42f3da3e279bc4c89e8af19db

SHA512
037986cce78ce597c92464e83785b48e518aa0635f8860e7628e5a280ee59777b1a84a6aa9dd541c021859e88eee1e8a75395c17621dca136a1d13bbae4c340c

Download Submit
memory/32-99-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/376-44-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/524-119-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/540-433-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/664-398-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/740-429-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/836-350-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/848-228-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/852-479-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/996-258-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1004-394-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1084-457-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1168-74-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1244-243-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1264-49-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1300-314-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1400-285-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1620-362-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1640-212-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1656-89-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1664-214-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1912-153-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2020-202-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2044-370-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2196-114-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2324-267-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2376-129-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2424-475-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2428-338-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2524-418-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2528-248-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2592-94-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2628-406-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2636-378-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-309-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2860-326-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2920-483-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2956-163-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2992-207-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3124-223-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3140-468-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3176-461-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3184-441-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3188-188-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3196-366-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3224-300-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3252-374-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3288-143-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3472-34-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3512-178-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3512-29-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3516-69-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3520-24-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3540-390-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3548-218-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3720-158-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3732-64-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3748-59-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3804-253-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3804-425-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3860-148-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3892-445-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4012-342-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4060-414-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4148-386-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4276-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4276-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4296-138-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4340-104-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4344-109-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4352-354-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4380-54-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4440-39-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4456-290-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4504-346-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4508-410-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4508-238-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4528-173-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4568-124-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4580-319-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4600-295-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4668-330-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4696-382-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4764-193-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4768-449-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4772-79-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4800-272-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4808-183-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4816-334-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4876-84-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4896-168-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4920-437-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4928-453-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4956-402-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4972-233-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5092-358-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download