132766951c5d46a64ff16c1d1ee89005f4b8c5635906defa41d2dd1f78d65bf5

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe
Size

71KB
MD5

a7e720c142cf1bc63541608f6c5c6f7d
SHA1

d512b2cf14eca8b911444b5bf784f7be6c3a3ff5
SHA256

132766951c5d46a64ff16c1d1ee89005f4b8c5635906defa41d2dd1f78d65bf5
SHA512

ce898930e4547c24a7af2ccb2513f3e4d7b78d54746e5915964c68a1e6d680d8b03126f9352b222894cc848d487317af0018b20e6f2c7143ef15f6713045d341
SSDEEP

1536:JiJm5ponB0DZoiUAvoT6DvDwIf1zwQVgv/Y:UJ2poSDZoi3v2G1zwLv/

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
612	userinit.exe
2852	system.exe
2632	system.exe
2604	system.exe
808	system.exe
1088	system.exe
2216	system.exe
1808	system.exe
2116	system.exe
2856	system.exe
1672	system.exe
800	system.exe
2040	system.exe
268	system.exe
2448	system.exe
2460	system.exe
1980	system.exe
1628	system.exe
2584	system.exe
1004	system.exe
1644	system.exe
1456	system.exe
2388	system.exe
1652	system.exe
2104	system.exe
2196	system.exe
1528	system.exe
2716	system.exe
3036	system.exe
2848	system.exe
1892	system.exe
1868	system.exe
1864	system.exe
588	system.exe
2292	system.exe
2136	system.exe
2792	system.exe
2492	system.exe
2116	system.exe
2952	system.exe
2920	system.exe
1636	system.exe
2088	system.exe
1760	system.exe
2180	system.exe
2212	system.exe
1704	system.exe
1464	system.exe
2160	system.exe
2144	system.exe
2020	system.exe
1816	system.exe
896	system.exe
1692	system.exe
1456	system.exe
1572	system.exe
1732	system.exe
884	system.exe
2528	system.exe
1548	system.exe
2892	system.exe
992	system.exe
2744	system.exe
2628	system.exe

Loads dropped DLL 64 IoCs

pid	Process
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe
612	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
348	a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe
612	userinit.exe
612	userinit.exe
2852	system.exe
612	userinit.exe
2632	system.exe
612	userinit.exe
2604	system.exe
612	userinit.exe
808	system.exe
612	userinit.exe
1088	system.exe
612	userinit.exe
2216	system.exe
612	userinit.exe
1808	system.exe
612	userinit.exe
2116	system.exe
612	userinit.exe
2856	system.exe
612	userinit.exe
1672	system.exe
612	userinit.exe
800	system.exe
612	userinit.exe
2040	system.exe
612	userinit.exe
268	system.exe
612	userinit.exe
2448	system.exe
612	userinit.exe
2460	system.exe
612	userinit.exe
1980	system.exe
612	userinit.exe
1628	system.exe
612	userinit.exe
2584	system.exe
612	userinit.exe
1004	system.exe
612	userinit.exe
1644	system.exe
612	userinit.exe
1456	system.exe
612	userinit.exe
2388	system.exe
612	userinit.exe
1652	system.exe
612	userinit.exe
2104	system.exe
612	userinit.exe
2196	system.exe
612	userinit.exe
1528	system.exe
612	userinit.exe
2716	system.exe
612	userinit.exe
3036	system.exe
612	userinit.exe
2848	system.exe
612	userinit.exe
1892	system.exe
612	userinit.exe
1868	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
612	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
348	a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe
348	a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe
612	userinit.exe
612	userinit.exe
2852	system.exe
2852	system.exe
2632	system.exe
2632	system.exe
2604	system.exe
2604	system.exe
808	system.exe
808	system.exe
1088	system.exe
1088	system.exe
2216	system.exe
2216	system.exe
1808	system.exe
1808	system.exe
2116	system.exe
2116	system.exe
2856	system.exe
2856	system.exe
1672	system.exe
1672	system.exe
800	system.exe
800	system.exe
2040	system.exe
2040	system.exe
268	system.exe
268	system.exe
2448	system.exe
2448	system.exe
2460	system.exe
2460	system.exe
1980	system.exe
1980	system.exe
1628	system.exe
1628	system.exe
2584	system.exe
2584	system.exe
1004	system.exe
1004	system.exe
1644	system.exe
1644	system.exe
1456	system.exe
1456	system.exe
2388	system.exe
2388	system.exe
1652	system.exe
1652	system.exe
2104	system.exe
2104	system.exe
2196	system.exe
2196	system.exe
1528	system.exe
1528	system.exe
2716	system.exe
2716	system.exe
3036	system.exe
3036	system.exe
2848	system.exe
2848	system.exe
1892	system.exe
1892	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 612	348	a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe	30
PID 348 wrote to memory of 612	348	a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe	30
PID 348 wrote to memory of 612	348	a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe	30
PID 348 wrote to memory of 612	348	a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe	30
PID 612 wrote to memory of 2852	612	userinit.exe	31
PID 612 wrote to memory of 2852	612	userinit.exe	31
PID 612 wrote to memory of 2852	612	userinit.exe	31
PID 612 wrote to memory of 2852	612	userinit.exe	31
PID 612 wrote to memory of 2632	612	userinit.exe	32
PID 612 wrote to memory of 2632	612	userinit.exe	32
PID 612 wrote to memory of 2632	612	userinit.exe	32
PID 612 wrote to memory of 2632	612	userinit.exe	32
PID 612 wrote to memory of 2604	612	userinit.exe	33
PID 612 wrote to memory of 2604	612	userinit.exe	33
PID 612 wrote to memory of 2604	612	userinit.exe	33
PID 612 wrote to memory of 2604	612	userinit.exe	33
PID 612 wrote to memory of 808	612	userinit.exe	34
PID 612 wrote to memory of 808	612	userinit.exe	34
PID 612 wrote to memory of 808	612	userinit.exe	34
PID 612 wrote to memory of 808	612	userinit.exe	34
PID 612 wrote to memory of 1088	612	userinit.exe	35
PID 612 wrote to memory of 1088	612	userinit.exe	35
PID 612 wrote to memory of 1088	612	userinit.exe	35
PID 612 wrote to memory of 1088	612	userinit.exe	35
PID 612 wrote to memory of 2216	612	userinit.exe	36
PID 612 wrote to memory of 2216	612	userinit.exe	36
PID 612 wrote to memory of 2216	612	userinit.exe	36
PID 612 wrote to memory of 2216	612	userinit.exe	36
PID 612 wrote to memory of 1808	612	userinit.exe	37
PID 612 wrote to memory of 1808	612	userinit.exe	37
PID 612 wrote to memory of 1808	612	userinit.exe	37
PID 612 wrote to memory of 1808	612	userinit.exe	37
PID 612 wrote to memory of 2116	612	userinit.exe	38
PID 612 wrote to memory of 2116	612	userinit.exe	38
PID 612 wrote to memory of 2116	612	userinit.exe	38
PID 612 wrote to memory of 2116	612	userinit.exe	38
PID 612 wrote to memory of 2856	612	userinit.exe	39
PID 612 wrote to memory of 2856	612	userinit.exe	39
PID 612 wrote to memory of 2856	612	userinit.exe	39
PID 612 wrote to memory of 2856	612	userinit.exe	39
PID 612 wrote to memory of 1672	612	userinit.exe	40
PID 612 wrote to memory of 1672	612	userinit.exe	40
PID 612 wrote to memory of 1672	612	userinit.exe	40
PID 612 wrote to memory of 1672	612	userinit.exe	40
PID 612 wrote to memory of 800	612	userinit.exe	41
PID 612 wrote to memory of 800	612	userinit.exe	41
PID 612 wrote to memory of 800	612	userinit.exe	41
PID 612 wrote to memory of 800	612	userinit.exe	41
PID 612 wrote to memory of 2040	612	userinit.exe	42
PID 612 wrote to memory of 2040	612	userinit.exe	42
PID 612 wrote to memory of 2040	612	userinit.exe	42
PID 612 wrote to memory of 2040	612	userinit.exe	42
PID 612 wrote to memory of 268	612	userinit.exe	43
PID 612 wrote to memory of 268	612	userinit.exe	43
PID 612 wrote to memory of 268	612	userinit.exe	43
PID 612 wrote to memory of 268	612	userinit.exe	43
PID 612 wrote to memory of 2448	612	userinit.exe	44
PID 612 wrote to memory of 2448	612	userinit.exe	44
PID 612 wrote to memory of 2448	612	userinit.exe	44
PID 612 wrote to memory of 2448	612	userinit.exe	44
PID 612 wrote to memory of 2460	612	userinit.exe	45
PID 612 wrote to memory of 2460	612	userinit.exe	45
PID 612 wrote to memory of 2460	612	userinit.exe	45
PID 612 wrote to memory of 2460	612	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7e720c142cf1bc63541608f6c5c6f7d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
71KB

MD5
a7e720c142cf1bc63541608f6c5c6f7d

SHA1
d512b2cf14eca8b911444b5bf784f7be6c3a3ff5

SHA256
132766951c5d46a64ff16c1d1ee89005f4b8c5635906defa41d2dd1f78d65bf5

SHA512
ce898930e4547c24a7af2ccb2513f3e4d7b78d54746e5915964c68a1e6d680d8b03126f9352b222894cc848d487317af0018b20e6f2c7143ef15f6713045d341

Download Submit
memory/268-175-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/348-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/348-12-0x00000000003A0000-0x00000000003F7000-memory.dmp

Filesize
348KB

Download
memory/348-20-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/348-19-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/348-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/588-366-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/612-624-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-662-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-56-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-915-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-68-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-521-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-494-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-897-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-888-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-870-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-860-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-130-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/612-138-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-861-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-495-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-835-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-817-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-800-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-791-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-489-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/612-243-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/612-244-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/612-774-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-757-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-714-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-713-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-695-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-512-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-441-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-652-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-440-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-642-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-325-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/612-330-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-607-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-42-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-598-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-387-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-396-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-405-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-410-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/612-415-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-312-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-548-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-530-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-450-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-475-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/612-484-0x0000000002E80000-0x0000000002ED7000-memory.dmp

Filesize
348KB

Download
memory/800-153-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/896-531-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1004-242-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1088-85-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1088-81-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1456-266-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1528-303-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1528-307-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1548-879-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1628-216-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1644-255-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1652-282-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1672-142-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1704-479-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1712-647-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1808-107-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1868-637-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1892-342-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2088-445-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2104-290-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2116-118-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2160-499-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2196-298-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2216-96-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2292-374-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2388-274-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2448-186-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2460-197-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2528-585-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2604-61-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2632-48-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2632-49-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2716-316-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2852-35-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2856-129-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3004-719-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3020-708-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download