12be3d4cb83619755aac7075b20a46a2eae9a3ebd9adc7bb73716af1ade27977

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe
Size

571KB
MD5

a3382c1a52dfff30d6fc08aa7976c7a4
SHA1

29f4079f9be93d08242a1ec1f73bedfb64a7c716
SHA256

12be3d4cb83619755aac7075b20a46a2eae9a3ebd9adc7bb73716af1ade27977
SHA512

9f2e675a58b59f9f42821fcf4450060faa34101dea66d43cbda523be6efb2cf90118981d576005730a154100b11eb642d8c0b3b75a57de06f4f32216dcacde83
SSDEEP

12288:vXdSljCdooqiAbwB5kQ2H6bhk2LWEX7MtJbNWx3t:gwdop3wDkQs6dkpEXgbRWZt

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2072	userinit.exe
980	system.exe
2724	system.exe
2728	system.exe
2916	system.exe
2624	system.exe
2696	system.exe
660	system.exe
2864	system.exe
852	system.exe
1908	system.exe
1152	system.exe
2884	system.exe
2980	system.exe
2204	system.exe
2148	system.exe
2560	system.exe
1588	system.exe
1764	system.exe
836	system.exe
2184	system.exe
3064	system.exe
580	system.exe
1780	system.exe
2488	system.exe
1340	system.exe
2868	system.exe
1160	system.exe
3024	system.exe
2928	system.exe
2692	system.exe
2848	system.exe
2588	system.exe
2996	system.exe
3000	system.exe
1388	system.exe
1984	system.exe
1656	system.exe
680	system.exe
2896	system.exe
1928	system.exe
1772	system.exe
2196	system.exe
2108	system.exe
2748	system.exe
2148	system.exe
272	system.exe
1544	system.exe
1848	system.exe
2880	system.exe
1660	system.exe
2932	system.exe
2184	system.exe
2228	system.exe
316	system.exe
2020	system.exe
1568	system.exe
2548	system.exe
2392	system.exe
788	system.exe
992	system.exe
2012	system.exe
2812	system.exe
2692	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe
2072	userinit.exe
2072	userinit.exe
980	system.exe
2072	userinit.exe
2724	system.exe
2072	userinit.exe
2728	system.exe
2072	userinit.exe
2916	system.exe
2072	userinit.exe
2624	system.exe
2072	userinit.exe
2696	system.exe
2072	userinit.exe
660	system.exe
2072	userinit.exe
2864	system.exe
2072	userinit.exe
852	system.exe
2072	userinit.exe
1908	system.exe
2072	userinit.exe
1152	system.exe
2072	userinit.exe
2884	system.exe
2072	userinit.exe
2980	system.exe
2072	userinit.exe
2204	system.exe
2072	userinit.exe
2148	system.exe
2072	userinit.exe
2560	system.exe
2072	userinit.exe
1588	system.exe
2072	userinit.exe
1764	system.exe
2072	userinit.exe
836	system.exe
2072	userinit.exe
2184	system.exe
2072	userinit.exe
3064	system.exe
2072	userinit.exe
580	system.exe
2072	userinit.exe
1780	system.exe
2072	userinit.exe
2488	system.exe
2072	userinit.exe
1340	system.exe
2072	userinit.exe
2868	system.exe
2072	userinit.exe
1160	system.exe
2072	userinit.exe
3024	system.exe
2072	userinit.exe
2928	system.exe
2072	userinit.exe
2692	system.exe
2072	userinit.exe
2848	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2524	a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe
2524	a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe
2072	userinit.exe
2072	userinit.exe
980	system.exe
980	system.exe
2724	system.exe
2724	system.exe
2728	system.exe
2728	system.exe
2916	system.exe
2916	system.exe
2624	system.exe
2624	system.exe
2696	system.exe
2696	system.exe
660	system.exe
660	system.exe
2864	system.exe
2864	system.exe
852	system.exe
852	system.exe
1908	system.exe
1908	system.exe
1152	system.exe
1152	system.exe
2884	system.exe
2884	system.exe
2980	system.exe
2980	system.exe
2204	system.exe
2204	system.exe
2148	system.exe
2148	system.exe
2560	system.exe
2560	system.exe
1588	system.exe
1588	system.exe
1764	system.exe
1764	system.exe
836	system.exe
836	system.exe
2184	system.exe
2184	system.exe
3064	system.exe
3064	system.exe
580	system.exe
580	system.exe
1780	system.exe
1780	system.exe
2488	system.exe
2488	system.exe
1340	system.exe
1340	system.exe
2868	system.exe
2868	system.exe
1160	system.exe
1160	system.exe
3024	system.exe
3024	system.exe
2928	system.exe
2928	system.exe
2692	system.exe
2692	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2072	2524	a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2072	2524	a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2072	2524	a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2072	2524	a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe	30
PID 2072 wrote to memory of 980	2072	userinit.exe	31
PID 2072 wrote to memory of 980	2072	userinit.exe	31
PID 2072 wrote to memory of 980	2072	userinit.exe	31
PID 2072 wrote to memory of 980	2072	userinit.exe	31
PID 2072 wrote to memory of 2724	2072	userinit.exe	32
PID 2072 wrote to memory of 2724	2072	userinit.exe	32
PID 2072 wrote to memory of 2724	2072	userinit.exe	32
PID 2072 wrote to memory of 2724	2072	userinit.exe	32
PID 2072 wrote to memory of 2728	2072	userinit.exe	33
PID 2072 wrote to memory of 2728	2072	userinit.exe	33
PID 2072 wrote to memory of 2728	2072	userinit.exe	33
PID 2072 wrote to memory of 2728	2072	userinit.exe	33
PID 2072 wrote to memory of 2916	2072	userinit.exe	34
PID 2072 wrote to memory of 2916	2072	userinit.exe	34
PID 2072 wrote to memory of 2916	2072	userinit.exe	34
PID 2072 wrote to memory of 2916	2072	userinit.exe	34
PID 2072 wrote to memory of 2624	2072	userinit.exe	36
PID 2072 wrote to memory of 2624	2072	userinit.exe	36
PID 2072 wrote to memory of 2624	2072	userinit.exe	36
PID 2072 wrote to memory of 2624	2072	userinit.exe	36
PID 2072 wrote to memory of 2696	2072	userinit.exe	37
PID 2072 wrote to memory of 2696	2072	userinit.exe	37
PID 2072 wrote to memory of 2696	2072	userinit.exe	37
PID 2072 wrote to memory of 2696	2072	userinit.exe	37
PID 2072 wrote to memory of 660	2072	userinit.exe	38
PID 2072 wrote to memory of 660	2072	userinit.exe	38
PID 2072 wrote to memory of 660	2072	userinit.exe	38
PID 2072 wrote to memory of 660	2072	userinit.exe	38
PID 2072 wrote to memory of 2864	2072	userinit.exe	39
PID 2072 wrote to memory of 2864	2072	userinit.exe	39
PID 2072 wrote to memory of 2864	2072	userinit.exe	39
PID 2072 wrote to memory of 2864	2072	userinit.exe	39
PID 2072 wrote to memory of 852	2072	userinit.exe	40
PID 2072 wrote to memory of 852	2072	userinit.exe	40
PID 2072 wrote to memory of 852	2072	userinit.exe	40
PID 2072 wrote to memory of 852	2072	userinit.exe	40
PID 2072 wrote to memory of 1908	2072	userinit.exe	41
PID 2072 wrote to memory of 1908	2072	userinit.exe	41
PID 2072 wrote to memory of 1908	2072	userinit.exe	41
PID 2072 wrote to memory of 1908	2072	userinit.exe	41
PID 2072 wrote to memory of 1152	2072	userinit.exe	42
PID 2072 wrote to memory of 1152	2072	userinit.exe	42
PID 2072 wrote to memory of 1152	2072	userinit.exe	42
PID 2072 wrote to memory of 1152	2072	userinit.exe	42
PID 2072 wrote to memory of 2884	2072	userinit.exe	43
PID 2072 wrote to memory of 2884	2072	userinit.exe	43
PID 2072 wrote to memory of 2884	2072	userinit.exe	43
PID 2072 wrote to memory of 2884	2072	userinit.exe	43
PID 2072 wrote to memory of 2980	2072	userinit.exe	44
PID 2072 wrote to memory of 2980	2072	userinit.exe	44
PID 2072 wrote to memory of 2980	2072	userinit.exe	44
PID 2072 wrote to memory of 2980	2072	userinit.exe	44
PID 2072 wrote to memory of 2204	2072	userinit.exe	45
PID 2072 wrote to memory of 2204	2072	userinit.exe	45
PID 2072 wrote to memory of 2204	2072	userinit.exe	45
PID 2072 wrote to memory of 2204	2072	userinit.exe	45
PID 2072 wrote to memory of 2148	2072	userinit.exe	46
PID 2072 wrote to memory of 2148	2072	userinit.exe	46
PID 2072 wrote to memory of 2148	2072	userinit.exe	46
PID 2072 wrote to memory of 2148	2072	userinit.exe	46

C:\Users\Admin\AppData\Local\Temp\a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3382c1a52dfff30d6fc08aa7976c7a4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
571KB

MD5
a3382c1a52dfff30d6fc08aa7976c7a4

SHA1
29f4079f9be93d08242a1ec1f73bedfb64a7c716

SHA256
12be3d4cb83619755aac7075b20a46a2eae9a3ebd9adc7bb73716af1ade27977

SHA512
9f2e675a58b59f9f42821fcf4450060faa34101dea66d43cbda523be6efb2cf90118981d576005730a154100b11eb642d8c0b3b75a57de06f4f32216dcacde83

Download Submit
memory/580-278-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/660-108-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/680-712-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/744-808-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/788-608-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/980-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1132-772-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1160-325-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1264-767-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1388-393-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1588-222-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1656-415-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1764-233-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1780-286-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1848-514-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1908-142-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1928-439-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1984-403-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-375-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-465-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-929-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-920-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-845-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-836-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-131-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-835-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-234-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-252-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-791-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-265-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-264-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-274-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-790-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-283-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-781-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-293-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-294-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-303-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-320-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-14-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-326-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-331-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-332-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-341-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-762-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-761-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-358-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-751-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-741-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-392-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-707-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-402-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-44-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2072-690-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-416-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-421-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-438-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-639-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-456-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-629-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-475-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-474-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-595-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-485-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-484-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-582-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-498-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-31-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-553-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2072-544-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2108-752-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2148-198-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2148-489-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2180-821-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2184-257-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2204-186-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2524-13-0x0000000000530000-0x0000000000586000-memory.dmp

Filesize
344KB

Download
memory/2524-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2524-20-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2524-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2524-19-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2560-206-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2560-210-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2588-370-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2624-85-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2692-353-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2724-46-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2724-45-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2724-51-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2724-914-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2728-62-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2748-479-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2812-634-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2864-119-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2880-523-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2880-519-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2916-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2928-345-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2980-175-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-669-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download