351619c51457e3d704c213a89436a1a123981172271dea05ea1caa5de10e25fc

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c199973a5576af6afda78012e53af3_JaffaCakes118.exe
Size

80KB
MD5

81c199973a5576af6afda78012e53af3
SHA1

d6be18215d92da4bc4cf2e2bdf17b3264c1b89e3
SHA256

351619c51457e3d704c213a89436a1a123981172271dea05ea1caa5de10e25fc
SHA512

e4979ca91f6d7082cf7b1107848e34a2dd3232a5f30bf83c4052c4109724ecea331412e7f9db8432e67f7b65d8f79b8312baa7c3e832b25fc03370983c034905
SSDEEP

1536:fmOHV3ffrG6fo5ZCB+1Igf1BJWKeaRhdsRRYW:z13ffrG6fUUB+mYAKeajKYW

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2156	userinit.exe
2052	system.exe
2752	system.exe
2976	system.exe
2620	system.exe
2612	system.exe
2324	system.exe
1136	system.exe
1796	system.exe
1052	system.exe
1724	system.exe
1628	system.exe
2816	system.exe
2184	system.exe
284	system.exe
2580	system.exe
292	system.exe
1084	system.exe
1580	system.exe
1548	system.exe
1480	system.exe
348	system.exe
2388	system.exe
3068	system.exe
1600	system.exe
1388	system.exe
2536	system.exe
2288	system.exe
2872	system.exe
2632	system.exe
2644	system.exe
2216	system.exe
1428	system.exe
1656	system.exe
1300	system.exe
1796	system.exe
1792	system.exe
1620	system.exe
2824	system.exe
2952	system.exe
2684	system.exe
1612	system.exe
604	system.exe
1524	system.exe
1696	system.exe
1716	system.exe
1556	system.exe
1384	system.exe
2380	system.exe
1476	system.exe
688	system.exe
876	system.exe
1560	system.exe
2532	system.exe
2516	system.exe
2536	system.exe
2900	system.exe
2872	system.exe
2600	system.exe
2644	system.exe
2216	system.exe
1428	system.exe
1544	system.exe
1136	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe
2156	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe
2156	userinit.exe
2156	userinit.exe
2052	system.exe
2156	userinit.exe
2752	system.exe
2156	userinit.exe
2976	system.exe
2156	userinit.exe
2620	system.exe
2156	userinit.exe
2612	system.exe
2156	userinit.exe
2324	system.exe
2156	userinit.exe
1136	system.exe
2156	userinit.exe
1796	system.exe
2156	userinit.exe
1052	system.exe
2156	userinit.exe
1724	system.exe
2156	userinit.exe
1628	system.exe
2156	userinit.exe
2816	system.exe
2156	userinit.exe
2184	system.exe
2156	userinit.exe
284	system.exe
2156	userinit.exe
2580	system.exe
2156	userinit.exe
292	system.exe
2156	userinit.exe
1084	system.exe
2156	userinit.exe
1580	system.exe
2156	userinit.exe
1548	system.exe
2156	userinit.exe
1480	system.exe
2156	userinit.exe
348	system.exe
2156	userinit.exe
2388	system.exe
2156	userinit.exe
3068	system.exe
2156	userinit.exe
1600	system.exe
2156	userinit.exe
1388	system.exe
2156	userinit.exe
2536	system.exe
2156	userinit.exe
2288	system.exe
2156	userinit.exe
2872	system.exe
2156	userinit.exe
2632	system.exe
2156	userinit.exe
2644	system.exe
2156	userinit.exe
2216	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1908	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe
1908	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe
2156	userinit.exe
2156	userinit.exe
2052	system.exe
2052	system.exe
2752	system.exe
2752	system.exe
2976	system.exe
2976	system.exe
2620	system.exe
2620	system.exe
2612	system.exe
2612	system.exe
2324	system.exe
2324	system.exe
1136	system.exe
1136	system.exe
1796	system.exe
1796	system.exe
1052	system.exe
1052	system.exe
1724	system.exe
1724	system.exe
1628	system.exe
1628	system.exe
2816	system.exe
2816	system.exe
2184	system.exe
2184	system.exe
284	system.exe
284	system.exe
2580	system.exe
2580	system.exe
292	system.exe
292	system.exe
1084	system.exe
1084	system.exe
1580	system.exe
1580	system.exe
1548	system.exe
1548	system.exe
1480	system.exe
1480	system.exe
348	system.exe
348	system.exe
2388	system.exe
2388	system.exe
3068	system.exe
3068	system.exe
1600	system.exe
1600	system.exe
1388	system.exe
1388	system.exe
2536	system.exe
2536	system.exe
2288	system.exe
2288	system.exe
2872	system.exe
2872	system.exe
2632	system.exe
2632	system.exe
2644	system.exe
2644	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2156	1908	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2156	1908	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2156	1908	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2156	1908	81c199973a5576af6afda78012e53af3_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2052	2156	userinit.exe	31
PID 2156 wrote to memory of 2052	2156	userinit.exe	31
PID 2156 wrote to memory of 2052	2156	userinit.exe	31
PID 2156 wrote to memory of 2052	2156	userinit.exe	31
PID 2156 wrote to memory of 2752	2156	userinit.exe	32
PID 2156 wrote to memory of 2752	2156	userinit.exe	32
PID 2156 wrote to memory of 2752	2156	userinit.exe	32
PID 2156 wrote to memory of 2752	2156	userinit.exe	32
PID 2156 wrote to memory of 2976	2156	userinit.exe	34
PID 2156 wrote to memory of 2976	2156	userinit.exe	34
PID 2156 wrote to memory of 2976	2156	userinit.exe	34
PID 2156 wrote to memory of 2976	2156	userinit.exe	34
PID 2156 wrote to memory of 2620	2156	userinit.exe	35
PID 2156 wrote to memory of 2620	2156	userinit.exe	35
PID 2156 wrote to memory of 2620	2156	userinit.exe	35
PID 2156 wrote to memory of 2620	2156	userinit.exe	35
PID 2156 wrote to memory of 2612	2156	userinit.exe	36
PID 2156 wrote to memory of 2612	2156	userinit.exe	36
PID 2156 wrote to memory of 2612	2156	userinit.exe	36
PID 2156 wrote to memory of 2612	2156	userinit.exe	36
PID 2156 wrote to memory of 2324	2156	userinit.exe	37
PID 2156 wrote to memory of 2324	2156	userinit.exe	37
PID 2156 wrote to memory of 2324	2156	userinit.exe	37
PID 2156 wrote to memory of 2324	2156	userinit.exe	37
PID 2156 wrote to memory of 1136	2156	userinit.exe	38
PID 2156 wrote to memory of 1136	2156	userinit.exe	38
PID 2156 wrote to memory of 1136	2156	userinit.exe	38
PID 2156 wrote to memory of 1136	2156	userinit.exe	38
PID 2156 wrote to memory of 1796	2156	userinit.exe	39
PID 2156 wrote to memory of 1796	2156	userinit.exe	39
PID 2156 wrote to memory of 1796	2156	userinit.exe	39
PID 2156 wrote to memory of 1796	2156	userinit.exe	39
PID 2156 wrote to memory of 1052	2156	userinit.exe	40
PID 2156 wrote to memory of 1052	2156	userinit.exe	40
PID 2156 wrote to memory of 1052	2156	userinit.exe	40
PID 2156 wrote to memory of 1052	2156	userinit.exe	40
PID 2156 wrote to memory of 1724	2156	userinit.exe	41
PID 2156 wrote to memory of 1724	2156	userinit.exe	41
PID 2156 wrote to memory of 1724	2156	userinit.exe	41
PID 2156 wrote to memory of 1724	2156	userinit.exe	41
PID 2156 wrote to memory of 1628	2156	userinit.exe	42
PID 2156 wrote to memory of 1628	2156	userinit.exe	42
PID 2156 wrote to memory of 1628	2156	userinit.exe	42
PID 2156 wrote to memory of 1628	2156	userinit.exe	42
PID 2156 wrote to memory of 2816	2156	userinit.exe	43
PID 2156 wrote to memory of 2816	2156	userinit.exe	43
PID 2156 wrote to memory of 2816	2156	userinit.exe	43
PID 2156 wrote to memory of 2816	2156	userinit.exe	43
PID 2156 wrote to memory of 2184	2156	userinit.exe	44
PID 2156 wrote to memory of 2184	2156	userinit.exe	44
PID 2156 wrote to memory of 2184	2156	userinit.exe	44
PID 2156 wrote to memory of 2184	2156	userinit.exe	44
PID 2156 wrote to memory of 284	2156	userinit.exe	45
PID 2156 wrote to memory of 284	2156	userinit.exe	45
PID 2156 wrote to memory of 284	2156	userinit.exe	45
PID 2156 wrote to memory of 284	2156	userinit.exe	45
PID 2156 wrote to memory of 2580	2156	userinit.exe	46
PID 2156 wrote to memory of 2580	2156	userinit.exe	46
PID 2156 wrote to memory of 2580	2156	userinit.exe	46
PID 2156 wrote to memory of 2580	2156	userinit.exe	46

C:\Users\Admin\AppData\Local\Temp\81c199973a5576af6afda78012e53af3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c199973a5576af6afda78012e53af3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
80KB

MD5
81c199973a5576af6afda78012e53af3

SHA1
d6be18215d92da4bc4cf2e2bdf17b3264c1b89e3

SHA256
351619c51457e3d704c213a89436a1a123981172271dea05ea1caa5de10e25fc

SHA512
e4979ca91f6d7082cf7b1107848e34a2dd3232a5f30bf83c4052c4109724ecea331412e7f9db8432e67f7b65d8f79b8312baa7c3e832b25fc03370983c034905

Download Submit
memory/284-201-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/292-226-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/348-285-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/688-581-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/876-592-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1052-146-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1052-142-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1084-234-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1136-116-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1300-413-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1428-394-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1476-571-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1548-259-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1556-539-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1580-250-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1600-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1600-312-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1612-488-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1696-519-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1724-158-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1792-434-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1792-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1796-134-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1796-131-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1908-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1908-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1908-13-0x0000000002480000-0x00000000024BD000-memory.dmp

Filesize
244KB

Download
memory/1908-14-0x0000000002480000-0x00000000024BD000-memory.dmp

Filesize
244KB

Download
memory/1908-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2052-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2052-35-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2052-36-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2156-463-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-412-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-115-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-154-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2156-16-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2156-580-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2156-103-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-579-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-27-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-566-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-246-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-88-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-567-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-281-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-556-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-557-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-545-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-546-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-73-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-74-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-320-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-319-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-333-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-331-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-537-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-538-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-34-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-524-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-351-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-525-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-516-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-371-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-372-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-517-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-380-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-379-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-503-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-389-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-390-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-504-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-399-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-400-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-497-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-130-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-411-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-421-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-420-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-430-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-496-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-433-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-49-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-442-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-441-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-453-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-452-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-484-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-464-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-48-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-474-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-473-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2156-483-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2184-188-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2184-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2216-384-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2288-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2288-344-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2324-107-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2324-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-294-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-295-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2536-335-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2536-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2580-215-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2612-89-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2612-93-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2620-75-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2620-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2620-76-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2644-373-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2684-478-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2752-54-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2752-50-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2824-458-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2872-354-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2872-353-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2976-65-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3068-300-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download