ada27e7c13d4e381025cd84c44431eda399bb2d4e808cadfd8b842e47b9d83c1

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
Size

71KB
MD5

8eb0a3a616f58e9075774764357c6ab7
SHA1

58379870ff54e6abb0f0c17771fb94df22ef49ba
SHA256

ada27e7c13d4e381025cd84c44431eda399bb2d4e808cadfd8b842e47b9d83c1
SHA512

ff9b388058aa6c18ff4f2eec0d98dd055a0dbb3596c9d6bd76830d547e024ffed47b30ad2800f6a15e21b11006a03201b1d195325edbd1d37aaf1d88d9fcd7f3
SSDEEP

768:paCaB044YAHIiSkrzzx0iDTOtMxZI5C8w/f1zBmQzTGfmgyq6zU:IC0OMcamTaWf1zwQVgv6I

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2364	userinit.exe
1804	system.exe
2392	system.exe
2792	system.exe
2824	system.exe
2952	system.exe
2652	system.exe
2588	system.exe
3024	system.exe
2808	system.exe
1972	system.exe
2804	system.exe
1304	system.exe
1768	system.exe
2144	system.exe
264	system.exe
440	system.exe
996	system.exe
1388	system.exe
1084	system.exe
1184	system.exe
2248	system.exe
1752	system.exe
2420	system.exe
1628	system.exe
2340	system.exe
3004	system.exe
1236	system.exe
2312	system.exe
2000	system.exe
2816	system.exe
2404	system.exe
3068	system.exe
2512	system.exe
2572	system.exe
2820	system.exe
2084	system.exe
836	system.exe
1416	system.exe
2756	system.exe
1232	system.exe
2780	system.exe
2240	system.exe
2260	system.exe
1484	system.exe
2424	system.exe
712	system.exe
872	system.exe
2268	system.exe
1452	system.exe
2024	system.exe
748	system.exe
316	system.exe
2368	system.exe
3000	system.exe
2376	system.exe
3060	system.exe
2868	system.exe
2392	system.exe
2784	system.exe
2648	system.exe
2884	system.exe
2556	system.exe
2008	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe
2364	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
2364	userinit.exe
2364	userinit.exe
1804	system.exe
2364	userinit.exe
2392	system.exe
2364	userinit.exe
2792	system.exe
2364	userinit.exe
2824	system.exe
2364	userinit.exe
2952	system.exe
2364	userinit.exe
2652	system.exe
2364	userinit.exe
2588	system.exe
2364	userinit.exe
3024	system.exe
2364	userinit.exe
2808	system.exe
2364	userinit.exe
1972	system.exe
2364	userinit.exe
2804	system.exe
2364	userinit.exe
1304	system.exe
2364	userinit.exe
1768	system.exe
2364	userinit.exe
2144	system.exe
2364	userinit.exe
264	system.exe
2364	userinit.exe
440	system.exe
2364	userinit.exe
996	system.exe
2364	userinit.exe
1388	system.exe
2364	userinit.exe
1084	system.exe
2364	userinit.exe
1184	system.exe
2364	userinit.exe
2248	system.exe
2364	userinit.exe
1752	system.exe
2364	userinit.exe
2420	system.exe
2364	userinit.exe
1628	system.exe
2364	userinit.exe
2340	system.exe
2364	userinit.exe
3004	system.exe
2364	userinit.exe
1236	system.exe
2364	userinit.exe
2312	system.exe
2364	userinit.exe
2000	system.exe
2364	userinit.exe
2816	system.exe
2364	userinit.exe
2404	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2088	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
2088	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
2364	userinit.exe
2364	userinit.exe
1804	system.exe
1804	system.exe
2392	system.exe
2392	system.exe
2792	system.exe
2792	system.exe
2824	system.exe
2824	system.exe
2952	system.exe
2952	system.exe
2652	system.exe
2652	system.exe
2588	system.exe
2588	system.exe
3024	system.exe
3024	system.exe
2808	system.exe
2808	system.exe
1972	system.exe
1972	system.exe
2804	system.exe
2804	system.exe
1304	system.exe
1304	system.exe
1768	system.exe
1768	system.exe
2144	system.exe
2144	system.exe
264	system.exe
264	system.exe
440	system.exe
440	system.exe
996	system.exe
996	system.exe
1388	system.exe
1388	system.exe
1084	system.exe
1084	system.exe
1184	system.exe
1184	system.exe
2248	system.exe
2248	system.exe
1752	system.exe
1752	system.exe
2420	system.exe
2420	system.exe
1628	system.exe
1628	system.exe
2340	system.exe
2340	system.exe
3004	system.exe
3004	system.exe
1236	system.exe
1236	system.exe
2312	system.exe
2312	system.exe
2000	system.exe
2000	system.exe
2816	system.exe
2816	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2364	2088	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2364	2088	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2364	2088	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2364	2088	8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1804	2364	userinit.exe	31
PID 2364 wrote to memory of 1804	2364	userinit.exe	31
PID 2364 wrote to memory of 1804	2364	userinit.exe	31
PID 2364 wrote to memory of 1804	2364	userinit.exe	31
PID 2364 wrote to memory of 2392	2364	userinit.exe	32
PID 2364 wrote to memory of 2392	2364	userinit.exe	32
PID 2364 wrote to memory of 2392	2364	userinit.exe	32
PID 2364 wrote to memory of 2392	2364	userinit.exe	32
PID 2364 wrote to memory of 2792	2364	userinit.exe	33
PID 2364 wrote to memory of 2792	2364	userinit.exe	33
PID 2364 wrote to memory of 2792	2364	userinit.exe	33
PID 2364 wrote to memory of 2792	2364	userinit.exe	33
PID 2364 wrote to memory of 2824	2364	userinit.exe	34
PID 2364 wrote to memory of 2824	2364	userinit.exe	34
PID 2364 wrote to memory of 2824	2364	userinit.exe	34
PID 2364 wrote to memory of 2824	2364	userinit.exe	34
PID 2364 wrote to memory of 2952	2364	userinit.exe	35
PID 2364 wrote to memory of 2952	2364	userinit.exe	35
PID 2364 wrote to memory of 2952	2364	userinit.exe	35
PID 2364 wrote to memory of 2952	2364	userinit.exe	35
PID 2364 wrote to memory of 2652	2364	userinit.exe	36
PID 2364 wrote to memory of 2652	2364	userinit.exe	36
PID 2364 wrote to memory of 2652	2364	userinit.exe	36
PID 2364 wrote to memory of 2652	2364	userinit.exe	36
PID 2364 wrote to memory of 2588	2364	userinit.exe	37
PID 2364 wrote to memory of 2588	2364	userinit.exe	37
PID 2364 wrote to memory of 2588	2364	userinit.exe	37
PID 2364 wrote to memory of 2588	2364	userinit.exe	37
PID 2364 wrote to memory of 3024	2364	userinit.exe	38
PID 2364 wrote to memory of 3024	2364	userinit.exe	38
PID 2364 wrote to memory of 3024	2364	userinit.exe	38
PID 2364 wrote to memory of 3024	2364	userinit.exe	38
PID 2364 wrote to memory of 2808	2364	userinit.exe	39
PID 2364 wrote to memory of 2808	2364	userinit.exe	39
PID 2364 wrote to memory of 2808	2364	userinit.exe	39
PID 2364 wrote to memory of 2808	2364	userinit.exe	39
PID 2364 wrote to memory of 1972	2364	userinit.exe	40
PID 2364 wrote to memory of 1972	2364	userinit.exe	40
PID 2364 wrote to memory of 1972	2364	userinit.exe	40
PID 2364 wrote to memory of 1972	2364	userinit.exe	40
PID 2364 wrote to memory of 2804	2364	userinit.exe	41
PID 2364 wrote to memory of 2804	2364	userinit.exe	41
PID 2364 wrote to memory of 2804	2364	userinit.exe	41
PID 2364 wrote to memory of 2804	2364	userinit.exe	41
PID 2364 wrote to memory of 1304	2364	userinit.exe	42
PID 2364 wrote to memory of 1304	2364	userinit.exe	42
PID 2364 wrote to memory of 1304	2364	userinit.exe	42
PID 2364 wrote to memory of 1304	2364	userinit.exe	42
PID 2364 wrote to memory of 1768	2364	userinit.exe	43
PID 2364 wrote to memory of 1768	2364	userinit.exe	43
PID 2364 wrote to memory of 1768	2364	userinit.exe	43
PID 2364 wrote to memory of 1768	2364	userinit.exe	43
PID 2364 wrote to memory of 2144	2364	userinit.exe	44
PID 2364 wrote to memory of 2144	2364	userinit.exe	44
PID 2364 wrote to memory of 2144	2364	userinit.exe	44
PID 2364 wrote to memory of 2144	2364	userinit.exe	44
PID 2364 wrote to memory of 264	2364	userinit.exe	45
PID 2364 wrote to memory of 264	2364	userinit.exe	45
PID 2364 wrote to memory of 264	2364	userinit.exe	45
PID 2364 wrote to memory of 264	2364	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8eb0a3a616f58e9075774764357c6ab7_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
71KB

MD5
8eb0a3a616f58e9075774764357c6ab7

SHA1
58379870ff54e6abb0f0c17771fb94df22ef49ba

SHA256
ada27e7c13d4e381025cd84c44431eda399bb2d4e808cadfd8b842e47b9d83c1

SHA512
ff9b388058aa6c18ff4f2eec0d98dd055a0dbb3596c9d6bd76830d547e024ffed47b30ad2800f6a15e21b11006a03201b1d195325edbd1d37aaf1d88d9fcd7f3

Download Submit
memory/264-204-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/440-212-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/712-527-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/872-538-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/996-227-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1184-262-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1232-464-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1236-329-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1304-167-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1388-238-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1416-443-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1452-559-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1628-296-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1768-182-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1804-38-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1804-34-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1972-148-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2024-570-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2084-423-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2084-421-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2088-13-0x0000000000270000-0x00000000002B9000-memory.dmp

Filesize
292KB

Download
memory/2088-21-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2088-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2088-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2144-193-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2248-269-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2260-497-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2364-407-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-450-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-636-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2364-626-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-247-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-246-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2364-120-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2364-617-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-616-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-609-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-303-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-608-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-596-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-315-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-314-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-325-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-324-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-595-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-337-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-338-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-346-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-345-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-356-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-355-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-366-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-365-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-376-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-375-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-386-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-385-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-398-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-397-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-588-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-589-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-406-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-575-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-576-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-567-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-420-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-419-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-429-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-428-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-442-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-569-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-440-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2364-441-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-451-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-144-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2364-14-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2364-463-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-462-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-472-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-471-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-15-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2364-554-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-485-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-486-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-493-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-492-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-555-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-506-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-505-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-513-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-512-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-526-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-525-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-544-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-534-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-533-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-32-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2364-543-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2364-545-0x0000000002640000-0x0000000002689000-memory.dmp

Filesize
292KB

Download
memory/2376-621-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2392-50-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2392-46-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2420-289-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2572-400-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2588-110-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2652-96-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2780-475-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2780-477-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2792-58-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2792-63-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2808-136-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2820-411-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2824-71-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2952-88-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2952-83-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3000-610-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3004-319-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3004-316-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3024-121-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3024-125-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download