3b04e49490253e9a35be1838b75f5e8a11bc47025fe847b126aa8a8c98c9cdd9

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
Size

211KB
MD5

83c5e9ebb50625691e160e92f8c8f244
SHA1

215df42eb95f52c9e7586fae1064552519f2c900
SHA256

3b04e49490253e9a35be1838b75f5e8a11bc47025fe847b126aa8a8c98c9cdd9
SHA512

0f28e3460589d9ce55f5dfb74db069a178f9c1005de8d9155f7b572961c7d8bb8f9107a9d282314ee366d07b0c61d9d917f966cec8b418b6f785a711713a5ac6
SSDEEP

768:NikxN1wLPr4rS518RxcW1J7XTC05GKJZQaHu7J4of1zBmQzTGfmgyqU:wkxN1wH4uHUD1V5pZQ64Zf1zwQVgvU

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2836	userinit.exe
2864	system.exe
2728	system.exe
2624	system.exe
1724	system.exe
1840	system.exe
1320	system.exe
2436	system.exe
2932	system.exe
3000	system.exe
2892	system.exe
2620	system.exe
320	system.exe
2196	system.exe
692	system.exe
580	system.exe
952	system.exe
1544	system.exe
1584	system.exe
2028	system.exe
2056	system.exe
2296	system.exe
760	system.exe
2328	system.exe
1632	system.exe
2832	system.exe
2920	system.exe
2584	system.exe
2728	system.exe
2632	system.exe
1340	system.exe
2072	system.exe
2664	system.exe
2756	system.exe
2940	system.exe
3036	system.exe
380	system.exe
788	system.exe
1160	system.exe
320	system.exe
2196	system.exe
1048	system.exe
1228	system.exe
808	system.exe
2040	system.exe
1544	system.exe
1108	system.exe
2640	system.exe
1000	system.exe
1608	system.exe
884	system.exe
2704	system.exe
2840	system.exe
2568	system.exe
2492	system.exe
2572	system.exe
2460	system.exe
988	system.exe
1652	system.exe
1664	system.exe
2796	system.exe
2216	system.exe
1232	system.exe
2768	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe
2836	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
2836	userinit.exe
2836	userinit.exe
2864	system.exe
2836	userinit.exe
2728	system.exe
2836	userinit.exe
2624	system.exe
2836	userinit.exe
1724	system.exe
2836	userinit.exe
1840	system.exe
2836	userinit.exe
1320	system.exe
2836	userinit.exe
2436	system.exe
2836	userinit.exe
2932	system.exe
2836	userinit.exe
3000	system.exe
2836	userinit.exe
2892	system.exe
2836	userinit.exe
2620	system.exe
2836	userinit.exe
320	system.exe
2836	userinit.exe
2196	system.exe
2836	userinit.exe
692	system.exe
2836	userinit.exe
580	system.exe
2836	userinit.exe
952	system.exe
2836	userinit.exe
1544	system.exe
2836	userinit.exe
1584	system.exe
2836	userinit.exe
2028	system.exe
2836	userinit.exe
2056	system.exe
2836	userinit.exe
2296	system.exe
2836	userinit.exe
760	system.exe
2836	userinit.exe
2836	userinit.exe
1632	system.exe
2836	userinit.exe
2832	system.exe
2836	userinit.exe
2920	system.exe
2836	userinit.exe
2584	system.exe
2836	userinit.exe
2728	system.exe
2836	userinit.exe
2632	system.exe
2836	userinit.exe
1340	system.exe
2836	userinit.exe
2072	system.exe
2836	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2836	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2652	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
2652	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
2836	userinit.exe
2836	userinit.exe
2864	system.exe
2864	system.exe
2728	system.exe
2728	system.exe
2624	system.exe
2624	system.exe
1724	system.exe
1724	system.exe
1840	system.exe
1840	system.exe
1320	system.exe
1320	system.exe
2436	system.exe
2436	system.exe
2932	system.exe
2932	system.exe
3000	system.exe
3000	system.exe
2892	system.exe
2892	system.exe
2620	system.exe
2620	system.exe
320	system.exe
320	system.exe
2196	system.exe
2196	system.exe
692	system.exe
692	system.exe
580	system.exe
580	system.exe
952	system.exe
952	system.exe
1544	system.exe
1544	system.exe
1584	system.exe
1584	system.exe
2028	system.exe
2028	system.exe
2056	system.exe
2056	system.exe
2296	system.exe
2296	system.exe
760	system.exe
760	system.exe
1632	system.exe
1632	system.exe
2832	system.exe
2832	system.exe
2920	system.exe
2920	system.exe
2584	system.exe
2584	system.exe
2728	system.exe
2728	system.exe
2632	system.exe
2632	system.exe
1340	system.exe
1340	system.exe
2072	system.exe
2072	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2836	2652	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2836	2652	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2836	2652	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2836	2652	83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2864	2836	userinit.exe	31
PID 2836 wrote to memory of 2864	2836	userinit.exe	31
PID 2836 wrote to memory of 2864	2836	userinit.exe	31
PID 2836 wrote to memory of 2864	2836	userinit.exe	31
PID 2836 wrote to memory of 2728	2836	userinit.exe	32
PID 2836 wrote to memory of 2728	2836	userinit.exe	32
PID 2836 wrote to memory of 2728	2836	userinit.exe	32
PID 2836 wrote to memory of 2728	2836	userinit.exe	32
PID 2836 wrote to memory of 2624	2836	userinit.exe	33
PID 2836 wrote to memory of 2624	2836	userinit.exe	33
PID 2836 wrote to memory of 2624	2836	userinit.exe	33
PID 2836 wrote to memory of 2624	2836	userinit.exe	33
PID 2836 wrote to memory of 1724	2836	userinit.exe	34
PID 2836 wrote to memory of 1724	2836	userinit.exe	34
PID 2836 wrote to memory of 1724	2836	userinit.exe	34
PID 2836 wrote to memory of 1724	2836	userinit.exe	34
PID 2836 wrote to memory of 1840	2836	userinit.exe	35
PID 2836 wrote to memory of 1840	2836	userinit.exe	35
PID 2836 wrote to memory of 1840	2836	userinit.exe	35
PID 2836 wrote to memory of 1840	2836	userinit.exe	35
PID 2836 wrote to memory of 1320	2836	userinit.exe	36
PID 2836 wrote to memory of 1320	2836	userinit.exe	36
PID 2836 wrote to memory of 1320	2836	userinit.exe	36
PID 2836 wrote to memory of 1320	2836	userinit.exe	36
PID 2836 wrote to memory of 2436	2836	userinit.exe	37
PID 2836 wrote to memory of 2436	2836	userinit.exe	37
PID 2836 wrote to memory of 2436	2836	userinit.exe	37
PID 2836 wrote to memory of 2436	2836	userinit.exe	37
PID 2836 wrote to memory of 2932	2836	userinit.exe	38
PID 2836 wrote to memory of 2932	2836	userinit.exe	38
PID 2836 wrote to memory of 2932	2836	userinit.exe	38
PID 2836 wrote to memory of 2932	2836	userinit.exe	38
PID 2836 wrote to memory of 3000	2836	userinit.exe	39
PID 2836 wrote to memory of 3000	2836	userinit.exe	39
PID 2836 wrote to memory of 3000	2836	userinit.exe	39
PID 2836 wrote to memory of 3000	2836	userinit.exe	39
PID 2836 wrote to memory of 2892	2836	userinit.exe	40
PID 2836 wrote to memory of 2892	2836	userinit.exe	40
PID 2836 wrote to memory of 2892	2836	userinit.exe	40
PID 2836 wrote to memory of 2892	2836	userinit.exe	40
PID 2836 wrote to memory of 2620	2836	userinit.exe	41
PID 2836 wrote to memory of 2620	2836	userinit.exe	41
PID 2836 wrote to memory of 2620	2836	userinit.exe	41
PID 2836 wrote to memory of 2620	2836	userinit.exe	41
PID 2836 wrote to memory of 320	2836	userinit.exe	42
PID 2836 wrote to memory of 320	2836	userinit.exe	42
PID 2836 wrote to memory of 320	2836	userinit.exe	42
PID 2836 wrote to memory of 320	2836	userinit.exe	42
PID 2836 wrote to memory of 2196	2836	userinit.exe	43
PID 2836 wrote to memory of 2196	2836	userinit.exe	43
PID 2836 wrote to memory of 2196	2836	userinit.exe	43
PID 2836 wrote to memory of 2196	2836	userinit.exe	43
PID 2836 wrote to memory of 692	2836	userinit.exe	44
PID 2836 wrote to memory of 692	2836	userinit.exe	44
PID 2836 wrote to memory of 692	2836	userinit.exe	44
PID 2836 wrote to memory of 692	2836	userinit.exe	44
PID 2836 wrote to memory of 580	2836	userinit.exe	45
PID 2836 wrote to memory of 580	2836	userinit.exe	45
PID 2836 wrote to memory of 580	2836	userinit.exe	45
PID 2836 wrote to memory of 580	2836	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83c5e9ebb50625691e160e92f8c8f244_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
211KB

MD5
83c5e9ebb50625691e160e92f8c8f244

SHA1
215df42eb95f52c9e7586fae1064552519f2c900

SHA256
3b04e49490253e9a35be1838b75f5e8a11bc47025fe847b126aa8a8c98c9cdd9

SHA512
0f28e3460589d9ce55f5dfb74db069a178f9c1005de8d9155f7b572961c7d8bb8f9107a9d282314ee366d07b0c61d9d917f966cec8b418b6f785a711713a5ac6

Download Submit
memory/320-483-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/320-482-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/380-450-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/692-197-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-301-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/788-459-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/788-461-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1320-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1340-387-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-246-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1724-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1724-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1840-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1840-89-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2056-274-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-396-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2196-183-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2196-492-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2196-494-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2196-185-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2296-291-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2328-308-0x0000000077840000-0x000000007795F000-memory.dmp

Filesize
1.1MB

Download
memory/2328-311-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2328-309-0x0000000077960000-0x0000000077A5A000-memory.dmp

Filesize
1000KB

Download
memory/2436-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2584-353-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2584-355-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-61-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2632-377-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-566-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2652-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2652-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2652-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2652-14-0x0000000002F40000-0x0000000002FC2000-memory.dmp

Filesize
520KB

Download
memory/2652-13-0x0000000002F40000-0x0000000002FC2000-memory.dmp

Filesize
520KB

Download
memory/2664-407-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-611-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-365-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-49-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2756-419-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2756-420-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-331-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-333-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2836-328-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-406-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-286-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-296-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-297-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-272-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-306-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-273-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-310-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-259-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-260-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-317-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-316-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-258-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2836-330-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-244-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-245-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-338-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-339-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-348-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-351-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-231-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-232-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-361-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-360-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-218-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-374-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-372-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2836-219-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-375-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-382-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-383-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-207-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-395-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-205-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-394-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-193-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-285-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-405-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-416-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2836-418-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2836-425-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-426-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-439-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-440-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-446-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-445-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-28-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-111-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-457-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-458-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-99-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-467-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-468-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-466-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2836-478-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-480-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-86-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-560-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2836-522-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-491-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-489-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-523-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-502-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-504-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-510-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2836-509-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/2864-37-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2864-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2864-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2892-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2932-127-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download