4f38bd7e243d09dbe6f391bdff72bb39634f47edd76c2e746e006c4474271a25

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 01:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe
Size

80KB
MD5

827ea4ccc49473ee12065e1c8b72024a
SHA1

0b89f20611021326debe4a8d9b15084df7a26bd1
SHA256

4f38bd7e243d09dbe6f391bdff72bb39634f47edd76c2e746e006c4474271a25
SHA512

2d5b6eb71959012a65c2a331df099510b7573115f568ce5e5eb4f521fc51a2b01df52924ebfb77f90dbd55b4bfcb900cd96260f6f04c6ed744c6d8fa190e84c7
SSDEEP

1536:/70spVbfKv2DHEv+x31yrwbPa5Gh2MjQpk6wZEaRhdsRRII:/VK+bEv+1bPa5K2MjMk6wZEajKII

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
1032	userinit.exe
2128	system.exe
2812	system.exe
2312	system.exe
2636	system.exe
2684	system.exe
1872	system.exe
1576	system.exe
1800	system.exe
1868	system.exe
1676	system.exe
808	system.exe
2712	system.exe
2244	system.exe
1404	system.exe
3004	system.exe
1008	system.exe
1964	system.exe
1604	system.exe
3000	system.exe
1416	system.exe
2124	system.exe
1952	system.exe
2396	system.exe
2536	system.exe
2560	system.exe
2576	system.exe
2796	system.exe
2736	system.exe
2648	system.exe
2748	system.exe
2836	system.exe
2732	system.exe
844	system.exe
1668	system.exe
1760	system.exe
1688	system.exe
1356	system.exe
2900	system.exe
2924	system.exe
2072	system.exe
1900	system.exe
1100	system.exe
708	system.exe
2628	system.exe
840	system.exe
2248	system.exe
612	system.exe
2236	system.exe
1936	system.exe
2096	system.exe
1652	system.exe
1508	system.exe
2888	system.exe
2376	system.exe
2704	system.exe
2824	system.exe
2744	system.exe
2772	system.exe
2792	system.exe
2636	system.exe
2660	system.exe
2436	system.exe
2788	system.exe

Loads dropped DLL 64 IoCs

pid	Process
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe
1032	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe
1032	userinit.exe
1032	userinit.exe
2128	system.exe
1032	userinit.exe
2812	system.exe
1032	userinit.exe
2312	system.exe
1032	userinit.exe
2636	system.exe
1032	userinit.exe
2684	system.exe
1032	userinit.exe
1872	system.exe
1032	userinit.exe
1576	system.exe
1032	userinit.exe
1800	system.exe
1032	userinit.exe
1868	system.exe
1032	userinit.exe
1676	system.exe
1032	userinit.exe
808	system.exe
1032	userinit.exe
2712	system.exe
1032	userinit.exe
2244	system.exe
1032	userinit.exe
1404	system.exe
1032	userinit.exe
3004	system.exe
1032	userinit.exe
1008	system.exe
1032	userinit.exe
1964	system.exe
1032	userinit.exe
1604	system.exe
1032	userinit.exe
3000	system.exe
1032	userinit.exe
1416	system.exe
1032	userinit.exe
2124	system.exe
1032	userinit.exe
1952	system.exe
1032	userinit.exe
2396	system.exe
1032	userinit.exe
2536	system.exe
1032	userinit.exe
2560	system.exe
1032	userinit.exe
2576	system.exe
1032	userinit.exe
2796	system.exe
1032	userinit.exe
2736	system.exe
1032	userinit.exe
2648	system.exe
1032	userinit.exe
2748	system.exe
1032	userinit.exe
2836	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1032	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1660	827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe
1660	827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe
1032	userinit.exe
1032	userinit.exe
2128	system.exe
2128	system.exe
2812	system.exe
2812	system.exe
2312	system.exe
2312	system.exe
2636	system.exe
2636	system.exe
2684	system.exe
2684	system.exe
1872	system.exe
1872	system.exe
1576	system.exe
1576	system.exe
1800	system.exe
1800	system.exe
1868	system.exe
1868	system.exe
1676	system.exe
1676	system.exe
808	system.exe
808	system.exe
2712	system.exe
2712	system.exe
2244	system.exe
2244	system.exe
1404	system.exe
1404	system.exe
3004	system.exe
3004	system.exe
1008	system.exe
1008	system.exe
1964	system.exe
1964	system.exe
1604	system.exe
1604	system.exe
3000	system.exe
3000	system.exe
1416	system.exe
1416	system.exe
2124	system.exe
2124	system.exe
1952	system.exe
1952	system.exe
2396	system.exe
2396	system.exe
2536	system.exe
2536	system.exe
2560	system.exe
2560	system.exe
2576	system.exe
2576	system.exe
2796	system.exe
2796	system.exe
2736	system.exe
2736	system.exe
2648	system.exe
2648	system.exe
2748	system.exe
2748	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1032	1660	827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe	30
PID 1660 wrote to memory of 1032	1660	827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe	30
PID 1660 wrote to memory of 1032	1660	827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe	30
PID 1660 wrote to memory of 1032	1660	827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe	30
PID 1032 wrote to memory of 2128	1032	userinit.exe	31
PID 1032 wrote to memory of 2128	1032	userinit.exe	31
PID 1032 wrote to memory of 2128	1032	userinit.exe	31
PID 1032 wrote to memory of 2128	1032	userinit.exe	31
PID 1032 wrote to memory of 2812	1032	userinit.exe	32
PID 1032 wrote to memory of 2812	1032	userinit.exe	32
PID 1032 wrote to memory of 2812	1032	userinit.exe	32
PID 1032 wrote to memory of 2812	1032	userinit.exe	32
PID 1032 wrote to memory of 2312	1032	userinit.exe	33
PID 1032 wrote to memory of 2312	1032	userinit.exe	33
PID 1032 wrote to memory of 2312	1032	userinit.exe	33
PID 1032 wrote to memory of 2312	1032	userinit.exe	33
PID 1032 wrote to memory of 2636	1032	userinit.exe	34
PID 1032 wrote to memory of 2636	1032	userinit.exe	34
PID 1032 wrote to memory of 2636	1032	userinit.exe	34
PID 1032 wrote to memory of 2636	1032	userinit.exe	34
PID 1032 wrote to memory of 2684	1032	userinit.exe	36
PID 1032 wrote to memory of 2684	1032	userinit.exe	36
PID 1032 wrote to memory of 2684	1032	userinit.exe	36
PID 1032 wrote to memory of 2684	1032	userinit.exe	36
PID 1032 wrote to memory of 1872	1032	userinit.exe	37
PID 1032 wrote to memory of 1872	1032	userinit.exe	37
PID 1032 wrote to memory of 1872	1032	userinit.exe	37
PID 1032 wrote to memory of 1872	1032	userinit.exe	37
PID 1032 wrote to memory of 1576	1032	userinit.exe	38
PID 1032 wrote to memory of 1576	1032	userinit.exe	38
PID 1032 wrote to memory of 1576	1032	userinit.exe	38
PID 1032 wrote to memory of 1576	1032	userinit.exe	38
PID 1032 wrote to memory of 1800	1032	userinit.exe	39
PID 1032 wrote to memory of 1800	1032	userinit.exe	39
PID 1032 wrote to memory of 1800	1032	userinit.exe	39
PID 1032 wrote to memory of 1800	1032	userinit.exe	39
PID 1032 wrote to memory of 1868	1032	userinit.exe	40
PID 1032 wrote to memory of 1868	1032	userinit.exe	40
PID 1032 wrote to memory of 1868	1032	userinit.exe	40
PID 1032 wrote to memory of 1868	1032	userinit.exe	40
PID 1032 wrote to memory of 1676	1032	userinit.exe	41
PID 1032 wrote to memory of 1676	1032	userinit.exe	41
PID 1032 wrote to memory of 1676	1032	userinit.exe	41
PID 1032 wrote to memory of 1676	1032	userinit.exe	41
PID 1032 wrote to memory of 808	1032	userinit.exe	42
PID 1032 wrote to memory of 808	1032	userinit.exe	42
PID 1032 wrote to memory of 808	1032	userinit.exe	42
PID 1032 wrote to memory of 808	1032	userinit.exe	42
PID 1032 wrote to memory of 2712	1032	userinit.exe	43
PID 1032 wrote to memory of 2712	1032	userinit.exe	43
PID 1032 wrote to memory of 2712	1032	userinit.exe	43
PID 1032 wrote to memory of 2712	1032	userinit.exe	43
PID 1032 wrote to memory of 2244	1032	userinit.exe	44
PID 1032 wrote to memory of 2244	1032	userinit.exe	44
PID 1032 wrote to memory of 2244	1032	userinit.exe	44
PID 1032 wrote to memory of 2244	1032	userinit.exe	44
PID 1032 wrote to memory of 1404	1032	userinit.exe	45
PID 1032 wrote to memory of 1404	1032	userinit.exe	45
PID 1032 wrote to memory of 1404	1032	userinit.exe	45
PID 1032 wrote to memory of 1404	1032	userinit.exe	45
PID 1032 wrote to memory of 3004	1032	userinit.exe	46
PID 1032 wrote to memory of 3004	1032	userinit.exe	46
PID 1032 wrote to memory of 3004	1032	userinit.exe	46
PID 1032 wrote to memory of 3004	1032	userinit.exe	46

C:\Users\Admin\AppData\Local\Temp\827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\827ea4ccc49473ee12065e1c8b72024a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
80KB

MD5
827ea4ccc49473ee12065e1c8b72024a

SHA1
0b89f20611021326debe4a8d9b15084df7a26bd1

SHA256
4f38bd7e243d09dbe6f391bdff72bb39634f47edd76c2e746e006c4474271a25

SHA512
2d5b6eb71959012a65c2a331df099510b7573115f568ce5e5eb4f521fc51a2b01df52924ebfb77f90dbd55b4bfcb900cd96260f6f04c6ed744c6d8fa190e84c7

Download Submit
memory/612-552-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/808-164-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/840-530-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/844-402-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1008-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1008-227-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1032-466-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-443-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-28-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-550-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-16-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1032-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1032-536-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-537-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-528-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-529-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-549-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-515-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-63-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-516-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-508-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-454-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-509-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-90-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-495-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-497-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-103-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-490-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-115-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-489-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-476-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-475-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-468-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-379-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-150-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1032-453-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-34-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-163-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-77-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-176-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-562-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-189-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-445-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-370-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-380-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-216-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-50-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-226-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-560-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-239-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-433-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-432-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-422-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-423-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-360-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-411-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-412-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-400-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-401-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-313-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-573-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-391-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-390-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-326-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-324-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1032-342-0x00000000023B0000-0x00000000023ED000-memory.dmp

Filesize
244KB

Download
memory/1356-446-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1404-201-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1416-279-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1576-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1604-251-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1660-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1660-14-0x0000000002430000-0x000000000246D000-memory.dmp

Filesize
244KB

Download
memory/1660-13-0x0000000002430000-0x000000000246D000-memory.dmp

Filesize
244KB

Download
memory/1660-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1660-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1668-413-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1676-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1676-155-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1688-437-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-131-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1868-142-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1872-107-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1952-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1964-243-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2124-289-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2128-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2128-36-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2128-35-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2236-563-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2244-193-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2248-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2312-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2312-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2312-65-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2376-627-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2396-308-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2396-306-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2536-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2536-318-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2560-327-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-520-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2636-82-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2636-78-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2648-365-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2684-93-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2684-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2712-181-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2712-177-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2748-374-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-51-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-52-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2836-385-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2924-469-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3000-267-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3000-263-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3004-217-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download