563734356596c657ed114ac367b03c4bd71185cd5f49f798e07999fcdd5bf813

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
Size

910KB
MD5

731b375315d471b6d4c521aafdb7d059
SHA1

ff58197179f54d49db8aa698057f4b7c0c0de788
SHA256

563734356596c657ed114ac367b03c4bd71185cd5f49f798e07999fcdd5bf813
SHA512

e5fdc10cfbee59d3cad00cb9b855763e375ce8b766a3b42c2db57f4d67df3ec00cb0bd187ca16e759bac15f980dbc5455e45e4d689899d1c3bda50c16bc5e4f5
SSDEEP

24576:A+ivXbZrAJrr186rmIWgVRFyIMQ5xv+UXmRE43ss:A+OXbxz8JWgg5Q5kemRR8s

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2740	userinit.exe
2540	system.exe
2700	system.exe
1744	system.exe
3044	system.exe
1252	system.exe
2924	system.exe
1484	system.exe
1044	system.exe
1568	system.exe
2860	system.exe
1952	system.exe
2984	system.exe
2980	system.exe
632	system.exe
2352	system.exe
1820	system.exe
2484	system.exe
1764	system.exe
2460	system.exe
1040	system.exe
1348	system.exe
2316	system.exe
340	system.exe
2020	system.exe
1516	system.exe
2680	system.exe
2264	system.exe
2968	system.exe
2820	system.exe
908	system.exe
2536	system.exe
2576	system.exe
876	system.exe
2888	system.exe
2572	system.exe
1752	system.exe
1048	system.exe
796	system.exe
2344	system.exe
2848	system.exe
596	system.exe
1592	system.exe
2168	system.exe
1808	system.exe
1800	system.exe
2832	system.exe
1940	system.exe
1580	system.exe
1792	system.exe
1684	system.exe
1028	system.exe
1040	system.exe
1552	system.exe
2372	system.exe
340	system.exe
1008	system.exe
1724	system.exe
1716	system.exe
2664	system.exe
2956	system.exe
2812	system.exe
2552	system.exe
2816	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe
2740	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
2740	userinit.exe
2740	userinit.exe
2540	system.exe
2740	userinit.exe
2700	system.exe
2740	userinit.exe
1744	system.exe
2740	userinit.exe
3044	system.exe
2740	userinit.exe
1252	system.exe
2740	userinit.exe
2924	system.exe
2740	userinit.exe
1484	system.exe
2740	userinit.exe
1044	system.exe
2740	userinit.exe
1568	system.exe
2740	userinit.exe
2860	system.exe
2740	userinit.exe
1952	system.exe
2740	userinit.exe
2984	system.exe
2740	userinit.exe
2980	system.exe
2740	userinit.exe
632	system.exe
2740	userinit.exe
2352	system.exe
2740	userinit.exe
1820	system.exe
2740	userinit.exe
2484	system.exe
2740	userinit.exe
1764	system.exe
2740	userinit.exe
2460	system.exe
2740	userinit.exe
1040	system.exe
2740	userinit.exe
1348	system.exe
2740	userinit.exe
2316	system.exe
2740	userinit.exe
340	system.exe
2740	userinit.exe
2020	system.exe
2740	userinit.exe
1516	system.exe
2740	userinit.exe
2680	system.exe
2740	userinit.exe
2264	system.exe
2740	userinit.exe
2968	system.exe
2740	userinit.exe
2820	system.exe
2740	userinit.exe
908	system.exe
2740	userinit.exe
2536	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2084	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
2084	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
2740	userinit.exe
2740	userinit.exe
2540	system.exe
2540	system.exe
2700	system.exe
2700	system.exe
1744	system.exe
1744	system.exe
3044	system.exe
3044	system.exe
1252	system.exe
1252	system.exe
2924	system.exe
2924	system.exe
1484	system.exe
1484	system.exe
1044	system.exe
1044	system.exe
1568	system.exe
1568	system.exe
2860	system.exe
2860	system.exe
1952	system.exe
1952	system.exe
2984	system.exe
2984	system.exe
2980	system.exe
2980	system.exe
632	system.exe
632	system.exe
2352	system.exe
2352	system.exe
1820	system.exe
1820	system.exe
2484	system.exe
2484	system.exe
1764	system.exe
1764	system.exe
2460	system.exe
2460	system.exe
1040	system.exe
1040	system.exe
1348	system.exe
1348	system.exe
2316	system.exe
2316	system.exe
340	system.exe
340	system.exe
2020	system.exe
2020	system.exe
1516	system.exe
1516	system.exe
2680	system.exe
2680	system.exe
2264	system.exe
2264	system.exe
2968	system.exe
2968	system.exe
2820	system.exe
2820	system.exe
908	system.exe
908	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2740	2084	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2740	2084	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2740	2084	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2740	2084	731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe	30
PID 2740 wrote to memory of 2540	2740	userinit.exe	31
PID 2740 wrote to memory of 2540	2740	userinit.exe	31
PID 2740 wrote to memory of 2540	2740	userinit.exe	31
PID 2740 wrote to memory of 2540	2740	userinit.exe	31
PID 2740 wrote to memory of 2700	2740	userinit.exe	32
PID 2740 wrote to memory of 2700	2740	userinit.exe	32
PID 2740 wrote to memory of 2700	2740	userinit.exe	32
PID 2740 wrote to memory of 2700	2740	userinit.exe	32
PID 2740 wrote to memory of 1744	2740	userinit.exe	33
PID 2740 wrote to memory of 1744	2740	userinit.exe	33
PID 2740 wrote to memory of 1744	2740	userinit.exe	33
PID 2740 wrote to memory of 1744	2740	userinit.exe	33
PID 2740 wrote to memory of 3044	2740	userinit.exe	34
PID 2740 wrote to memory of 3044	2740	userinit.exe	34
PID 2740 wrote to memory of 3044	2740	userinit.exe	34
PID 2740 wrote to memory of 3044	2740	userinit.exe	34
PID 2740 wrote to memory of 1252	2740	userinit.exe	35
PID 2740 wrote to memory of 1252	2740	userinit.exe	35
PID 2740 wrote to memory of 1252	2740	userinit.exe	35
PID 2740 wrote to memory of 1252	2740	userinit.exe	35
PID 2740 wrote to memory of 2924	2740	userinit.exe	36
PID 2740 wrote to memory of 2924	2740	userinit.exe	36
PID 2740 wrote to memory of 2924	2740	userinit.exe	36
PID 2740 wrote to memory of 2924	2740	userinit.exe	36
PID 2740 wrote to memory of 1484	2740	userinit.exe	37
PID 2740 wrote to memory of 1484	2740	userinit.exe	37
PID 2740 wrote to memory of 1484	2740	userinit.exe	37
PID 2740 wrote to memory of 1484	2740	userinit.exe	37
PID 2740 wrote to memory of 1044	2740	userinit.exe	38
PID 2740 wrote to memory of 1044	2740	userinit.exe	38
PID 2740 wrote to memory of 1044	2740	userinit.exe	38
PID 2740 wrote to memory of 1044	2740	userinit.exe	38
PID 2740 wrote to memory of 1568	2740	userinit.exe	39
PID 2740 wrote to memory of 1568	2740	userinit.exe	39
PID 2740 wrote to memory of 1568	2740	userinit.exe	39
PID 2740 wrote to memory of 1568	2740	userinit.exe	39
PID 2740 wrote to memory of 2860	2740	userinit.exe	40
PID 2740 wrote to memory of 2860	2740	userinit.exe	40
PID 2740 wrote to memory of 2860	2740	userinit.exe	40
PID 2740 wrote to memory of 2860	2740	userinit.exe	40
PID 2740 wrote to memory of 1952	2740	userinit.exe	41
PID 2740 wrote to memory of 1952	2740	userinit.exe	41
PID 2740 wrote to memory of 1952	2740	userinit.exe	41
PID 2740 wrote to memory of 1952	2740	userinit.exe	41
PID 2740 wrote to memory of 2984	2740	userinit.exe	42
PID 2740 wrote to memory of 2984	2740	userinit.exe	42
PID 2740 wrote to memory of 2984	2740	userinit.exe	42
PID 2740 wrote to memory of 2984	2740	userinit.exe	42
PID 2740 wrote to memory of 2980	2740	userinit.exe	43
PID 2740 wrote to memory of 2980	2740	userinit.exe	43
PID 2740 wrote to memory of 2980	2740	userinit.exe	43
PID 2740 wrote to memory of 2980	2740	userinit.exe	43
PID 2740 wrote to memory of 632	2740	userinit.exe	44
PID 2740 wrote to memory of 632	2740	userinit.exe	44
PID 2740 wrote to memory of 632	2740	userinit.exe	44
PID 2740 wrote to memory of 632	2740	userinit.exe	44
PID 2740 wrote to memory of 2352	2740	userinit.exe	45
PID 2740 wrote to memory of 2352	2740	userinit.exe	45
PID 2740 wrote to memory of 2352	2740	userinit.exe	45
PID 2740 wrote to memory of 2352	2740	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\731b375315d471b6d4c521aafdb7d059_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
910KB

MD5
731b375315d471b6d4c521aafdb7d059

SHA1
ff58197179f54d49db8aa698057f4b7c0c0de788

SHA256
563734356596c657ed114ac367b03c4bd71185cd5f49f798e07999fcdd5bf813

SHA512
e5fdc10cfbee59d3cad00cb9b855763e375ce8b766a3b42c2db57f4d67df3ec00cb0bd187ca16e759bac15f980dbc5455e45e4d689899d1c3bda50c16bc5e4f5

Download Submit
memory/340-275-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/876-366-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/908-338-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1040-539-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1044-116-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1044-114-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1252-81-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1348-255-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1484-104-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1484-102-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1516-293-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1568-127-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1580-503-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1592-450-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1592-448-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1744-58-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1752-395-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1764-223-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1792-513-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1952-150-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2020-284-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2084-12-0x00000000025A0000-0x00000000025F7000-memory.dmp

Filesize
348KB

Download
memory/2084-18-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2084-13-0x00000000025A0000-0x00000000025F7000-memory.dmp

Filesize
348KB

Download
memory/2084-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2316-265-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2460-234-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2536-347-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2540-34-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2680-303-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2700-47-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2740-436-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-483-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-273-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-280-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-260-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-261-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-292-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-291-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-299-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-251-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-308-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-316-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-544-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-327-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-30-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-334-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-534-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-343-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-535-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-353-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-352-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-362-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-361-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-146-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-526-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-374-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-372-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-518-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-386-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-385-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-391-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-36-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-393-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-404-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-405-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-410-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-422-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-421-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-427-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-512-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-502-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-43-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-447-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-445-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-66-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-458-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-463-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-475-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-474-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-493-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-274-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-482-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2740-492-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/2820-329-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-486-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-484-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2848-431-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2860-138-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2888-377-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2888-375-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2924-92-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2968-320-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2980-172-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2984-161-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3044-70-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download