bc9305362aefae01309bb38865bfa1a56a273902d09c2c511ee8a2901b8b4936

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe
Size

890KB
MD5

ed9181f7bb47bfd68d6dc3b0c3f92d53
SHA1

1e33eaa582abd96c7217bbc757663d41e470c14b
SHA256

bc9305362aefae01309bb38865bfa1a56a273902d09c2c511ee8a2901b8b4936
SHA512

9346c302a27b623b73c17187a97466e09cbb6b52a3ec61aa01aab464c637f201482295566a274fdba9030957f1f946cda9e91236ec1a1520a6584fa14d6592e9
SSDEEP

24576:C+iuXbZK+Jrr186amIWg1RFyIMX5xv+ZXmRE43ss:C+7XbQpJJWgA5X5kxmRR8s

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
4660	userinit.exe
2204	system.exe
404	system.exe
3592	system.exe
2788	system.exe
5000	system.exe
4696	system.exe
3048	system.exe
2144	system.exe
216	system.exe
1724	system.exe
4752	system.exe
2192	system.exe
2792	system.exe
432	system.exe
4116	system.exe
3600	system.exe
3400	system.exe
4996	system.exe
2776	system.exe
5028	system.exe
2552	system.exe
1968	system.exe
1764	system.exe
3564	system.exe
3604	system.exe
2636	system.exe
4608	system.exe
5052	system.exe
3068	system.exe
4500	system.exe
4720	system.exe
4888	system.exe
2204	system.exe
404	system.exe
812	system.exe
5000	system.exe
4696	system.exe
2244	system.exe
1088	system.exe
4892	system.exe
1724	system.exe
4392	system.exe
2752	system.exe
388	system.exe
4576	system.exe
3480	system.exe
780	system.exe
4628	system.exe
1888	system.exe
512	system.exe
2220	system.exe
448	system.exe
4152	system.exe
2300	system.exe
536	system.exe
4740	system.exe
3936	system.exe
4592	system.exe
3920	system.exe
532	system.exe
316	system.exe
1696	system.exe
3352	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
412	ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe
412	ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe
4660	userinit.exe
4660	userinit.exe
4660	userinit.exe
4660	userinit.exe
2204	system.exe
2204	system.exe
4660	userinit.exe
4660	userinit.exe
404	system.exe
404	system.exe
4660	userinit.exe
4660	userinit.exe
3592	system.exe
3592	system.exe
4660	userinit.exe
4660	userinit.exe
2788	system.exe
2788	system.exe
4660	userinit.exe
4660	userinit.exe
5000	system.exe
5000	system.exe
4660	userinit.exe
4660	userinit.exe
4696	system.exe
4696	system.exe
4660	userinit.exe
4660	userinit.exe
3048	system.exe
3048	system.exe
4660	userinit.exe
4660	userinit.exe
2144	system.exe
2144	system.exe
4660	userinit.exe
4660	userinit.exe
216	system.exe
216	system.exe
4660	userinit.exe
4660	userinit.exe
1724	system.exe
1724	system.exe
4660	userinit.exe
4660	userinit.exe
4752	system.exe
4752	system.exe
4660	userinit.exe
4660	userinit.exe
2192	system.exe
2192	system.exe
4660	userinit.exe
4660	userinit.exe
2792	system.exe
2792	system.exe
4660	userinit.exe
4660	userinit.exe
432	system.exe
432	system.exe
4660	userinit.exe
4660	userinit.exe
4116	system.exe
4116	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4660	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
412	ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe
412	ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe
4660	userinit.exe
4660	userinit.exe
2204	system.exe
2204	system.exe
404	system.exe
404	system.exe
3592	system.exe
3592	system.exe
2788	system.exe
2788	system.exe
5000	system.exe
5000	system.exe
4696	system.exe
4696	system.exe
3048	system.exe
3048	system.exe
2144	system.exe
2144	system.exe
216	system.exe
216	system.exe
1724	system.exe
1724	system.exe
4752	system.exe
4752	system.exe
2192	system.exe
2192	system.exe
2792	system.exe
2792	system.exe
432	system.exe
432	system.exe
4116	system.exe
4116	system.exe
3600	system.exe
3600	system.exe
3400	system.exe
3400	system.exe
4996	system.exe
4996	system.exe
2776	system.exe
2776	system.exe
5028	system.exe
5028	system.exe
2552	system.exe
2552	system.exe
1968	system.exe
1968	system.exe
1764	system.exe
1764	system.exe
3564	system.exe
3564	system.exe
3604	system.exe
3604	system.exe
2636	system.exe
2636	system.exe
4608	system.exe
4608	system.exe
5052	system.exe
5052	system.exe
3068	system.exe
3068	system.exe
4500	system.exe
4500	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4660	412	ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe	82
PID 412 wrote to memory of 4660	412	ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe	82
PID 412 wrote to memory of 4660	412	ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe	82
PID 4660 wrote to memory of 2204	4660	userinit.exe	83
PID 4660 wrote to memory of 2204	4660	userinit.exe	83
PID 4660 wrote to memory of 2204	4660	userinit.exe	83
PID 4660 wrote to memory of 404	4660	userinit.exe	84
PID 4660 wrote to memory of 404	4660	userinit.exe	84
PID 4660 wrote to memory of 404	4660	userinit.exe	84
PID 4660 wrote to memory of 3592	4660	userinit.exe	87
PID 4660 wrote to memory of 3592	4660	userinit.exe	87
PID 4660 wrote to memory of 3592	4660	userinit.exe	87
PID 4660 wrote to memory of 2788	4660	userinit.exe	90
PID 4660 wrote to memory of 2788	4660	userinit.exe	90
PID 4660 wrote to memory of 2788	4660	userinit.exe	90
PID 4660 wrote to memory of 5000	4660	userinit.exe	91
PID 4660 wrote to memory of 5000	4660	userinit.exe	91
PID 4660 wrote to memory of 5000	4660	userinit.exe	91
PID 4660 wrote to memory of 4696	4660	userinit.exe	92
PID 4660 wrote to memory of 4696	4660	userinit.exe	92
PID 4660 wrote to memory of 4696	4660	userinit.exe	92
PID 4660 wrote to memory of 3048	4660	userinit.exe	94
PID 4660 wrote to memory of 3048	4660	userinit.exe	94
PID 4660 wrote to memory of 3048	4660	userinit.exe	94
PID 4660 wrote to memory of 2144	4660	userinit.exe	95
PID 4660 wrote to memory of 2144	4660	userinit.exe	95
PID 4660 wrote to memory of 2144	4660	userinit.exe	95
PID 4660 wrote to memory of 216	4660	userinit.exe	98
PID 4660 wrote to memory of 216	4660	userinit.exe	98
PID 4660 wrote to memory of 216	4660	userinit.exe	98
PID 4660 wrote to memory of 1724	4660	userinit.exe	99
PID 4660 wrote to memory of 1724	4660	userinit.exe	99
PID 4660 wrote to memory of 1724	4660	userinit.exe	99
PID 4660 wrote to memory of 4752	4660	userinit.exe	100
PID 4660 wrote to memory of 4752	4660	userinit.exe	100
PID 4660 wrote to memory of 4752	4660	userinit.exe	100
PID 4660 wrote to memory of 2192	4660	userinit.exe	101
PID 4660 wrote to memory of 2192	4660	userinit.exe	101
PID 4660 wrote to memory of 2192	4660	userinit.exe	101
PID 4660 wrote to memory of 2792	4660	userinit.exe	102
PID 4660 wrote to memory of 2792	4660	userinit.exe	102
PID 4660 wrote to memory of 2792	4660	userinit.exe	102
PID 4660 wrote to memory of 432	4660	userinit.exe	103
PID 4660 wrote to memory of 432	4660	userinit.exe	103
PID 4660 wrote to memory of 432	4660	userinit.exe	103
PID 4660 wrote to memory of 4116	4660	userinit.exe	104
PID 4660 wrote to memory of 4116	4660	userinit.exe	104
PID 4660 wrote to memory of 4116	4660	userinit.exe	104
PID 4660 wrote to memory of 3600	4660	userinit.exe	105
PID 4660 wrote to memory of 3600	4660	userinit.exe	105
PID 4660 wrote to memory of 3600	4660	userinit.exe	105
PID 4660 wrote to memory of 3400	4660	userinit.exe	106
PID 4660 wrote to memory of 3400	4660	userinit.exe	106
PID 4660 wrote to memory of 3400	4660	userinit.exe	106
PID 4660 wrote to memory of 4996	4660	userinit.exe	107
PID 4660 wrote to memory of 4996	4660	userinit.exe	107
PID 4660 wrote to memory of 4996	4660	userinit.exe	107
PID 4660 wrote to memory of 2776	4660	userinit.exe	108
PID 4660 wrote to memory of 2776	4660	userinit.exe	108
PID 4660 wrote to memory of 2776	4660	userinit.exe	108
PID 4660 wrote to memory of 5028	4660	userinit.exe	109
PID 4660 wrote to memory of 5028	4660	userinit.exe	109
PID 4660 wrote to memory of 5028	4660	userinit.exe	109
PID 4660 wrote to memory of 2552	4660	userinit.exe	110

C:\Users\Admin\AppData\Local\Temp\ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed9181f7bb47bfd68d6dc3b0c3f92d53_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
890KB

MD5
ed9181f7bb47bfd68d6dc3b0c3f92d53

SHA1
1e33eaa582abd96c7217bbc757663d41e470c14b

SHA256
bc9305362aefae01309bb38865bfa1a56a273902d09c2c511ee8a2901b8b4936

SHA512
9346c302a27b623b73c17187a97466e09cbb6b52a3ec61aa01aab464c637f201482295566a274fdba9030957f1f946cda9e91236ec1a1520a6584fa14d6592e9

Download Submit
memory/216-409-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/216-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/316-322-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/388-239-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/404-30-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/404-189-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/412-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/412-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/432-90-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/448-277-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/456-338-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/512-267-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/532-317-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/536-292-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/696-358-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/752-461-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/780-252-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/812-194-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/892-374-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1088-213-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1228-465-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1380-362-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1696-326-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1724-70-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1724-224-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1764-135-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1860-366-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1888-262-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1900-370-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1928-417-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1968-130-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2144-60-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2192-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2204-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2204-184-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2204-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2220-272-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2244-208-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2300-287-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2552-125-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2752-234-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2752-425-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2776-115-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2788-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2792-85-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2952-393-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3048-55-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3068-164-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3096-421-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3352-330-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3400-105-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3400-457-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3504-401-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3544-429-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3564-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3592-382-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3592-35-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3596-378-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3600-100-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3604-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3708-437-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3908-449-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3920-312-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3936-302-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4048-441-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4076-397-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4116-95-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4152-282-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4164-433-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4360-405-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4392-229-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4420-346-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4464-386-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4480-453-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4500-169-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4592-307-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4608-154-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4628-445-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4628-257-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4660-215-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4696-50-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4700-354-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4720-174-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4724-342-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4740-297-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4752-75-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4816-350-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4888-179-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4892-219-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4892-413-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4996-110-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5000-199-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5000-45-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5028-120-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5044-334-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5052-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download