2430d040cac8edbdcf457f346ed497f7ebb471e63149869b91625dbb3af32d7e

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
Size

233KB
MD5

aa22e04e78d0e84fa7d1bbdd6b15388b
SHA1

4e66da9e2a67241deb0b8dec02b82822db932dc5
SHA256

2430d040cac8edbdcf457f346ed497f7ebb471e63149869b91625dbb3af32d7e
SHA512

0f43d5e11ee5f199db91c42250c81311089bd105c7432aefdd22a2fd04eca6d6d05afb6fb082d7afa21680c220b66d54528236a770339eb493077b88db065107
SSDEEP

1536:qf1zwQVgon/3zeQplOQTO1OdB3923jpTf1zwQVgvw8UBgd:S1zwLe/3zeQLTrdB3Ip71zwLvwV

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
1316	userinit.exe
1816	system.exe
2060	system.exe
2892	system.exe
2420	system.exe
2804	system.exe
2692	system.exe
264	system.exe
2024	system.exe
2260	system.exe
2696	system.exe
3024	system.exe
1032	system.exe
1764	system.exe
1812	system.exe
2396	system.exe
2384	system.exe
2616	system.exe
1592	system.exe
1948	system.exe
2104	system.exe
2372	system.exe
1672	system.exe
2464	system.exe
1708	system.exe
1992	system.exe
2132	system.exe
1552	system.exe
1100	system.exe
3008	system.exe
2496	system.exe
2996	system.exe
3012	system.exe
2816	system.exe
2632	system.exe
2708	system.exe
2692	system.exe
1932	system.exe
1928	system.exe
556	system.exe
2724	system.exe
2964	system.exe
3068	system.exe
760	system.exe
1032	system.exe
1244	system.exe
1312	system.exe
844	system.exe
2116	system.exe
1608	system.exe
864	system.exe
336	system.exe
1868	system.exe
680	system.exe
904	system.exe
960	system.exe
2308	system.exe
2216	system.exe
1128	system.exe
1988	system.exe
2348	system.exe
2356	system.exe
2092	system.exe
2040	system.exe

Loads dropped DLL 64 IoCs

pid	Process
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe
1316	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
1316	userinit.exe
1316	userinit.exe
1816	system.exe
1316	userinit.exe
2060	system.exe
1316	userinit.exe
2892	system.exe
1316	userinit.exe
2420	system.exe
1316	userinit.exe
2804	system.exe
1316	userinit.exe
2692	system.exe
1316	userinit.exe
264	system.exe
1316	userinit.exe
2024	system.exe
1316	userinit.exe
2260	system.exe
1316	userinit.exe
2696	system.exe
1316	userinit.exe
3024	system.exe
1316	userinit.exe
1032	system.exe
1316	userinit.exe
1764	system.exe
1316	userinit.exe
1812	system.exe
1316	userinit.exe
2396	system.exe
1316	userinit.exe
2384	system.exe
1316	userinit.exe
2616	system.exe
1316	userinit.exe
1592	system.exe
1316	userinit.exe
1948	system.exe
1316	userinit.exe
2104	system.exe
1316	userinit.exe
2372	system.exe
1316	userinit.exe
1672	system.exe
1316	userinit.exe
2464	system.exe
1316	userinit.exe
1708	system.exe
1316	userinit.exe
1992	system.exe
1316	userinit.exe
1316	userinit.exe
1552	system.exe
1316	userinit.exe
1100	system.exe
1316	userinit.exe
3008	system.exe
1316	userinit.exe
2496	system.exe
1316	userinit.exe
2996	system.exe
1316	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1316	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2716	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
2716	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
1316	userinit.exe
1316	userinit.exe
1816	system.exe
1816	system.exe
2060	system.exe
2060	system.exe
2892	system.exe
2892	system.exe
2420	system.exe
2420	system.exe
2804	system.exe
2804	system.exe
2692	system.exe
2692	system.exe
264	system.exe
264	system.exe
2024	system.exe
2024	system.exe
2260	system.exe
2260	system.exe
2696	system.exe
2696	system.exe
3024	system.exe
3024	system.exe
1032	system.exe
1032	system.exe
1764	system.exe
1764	system.exe
1812	system.exe
1812	system.exe
2396	system.exe
2396	system.exe
2384	system.exe
2384	system.exe
2616	system.exe
2616	system.exe
1592	system.exe
1592	system.exe
1948	system.exe
1948	system.exe
2104	system.exe
2104	system.exe
2372	system.exe
2372	system.exe
1672	system.exe
1672	system.exe
2464	system.exe
2464	system.exe
1708	system.exe
1708	system.exe
1992	system.exe
1992	system.exe
1552	system.exe
1552	system.exe
1100	system.exe
1100	system.exe
3008	system.exe
3008	system.exe
2496	system.exe
2496	system.exe
2996	system.exe
2996	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 1316	2716	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 1316	2716	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 1316	2716	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 1316	2716	aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe	30
PID 1316 wrote to memory of 1816	1316	userinit.exe	31
PID 1316 wrote to memory of 1816	1316	userinit.exe	31
PID 1316 wrote to memory of 1816	1316	userinit.exe	31
PID 1316 wrote to memory of 1816	1316	userinit.exe	31
PID 1316 wrote to memory of 2060	1316	userinit.exe	32
PID 1316 wrote to memory of 2060	1316	userinit.exe	32
PID 1316 wrote to memory of 2060	1316	userinit.exe	32
PID 1316 wrote to memory of 2060	1316	userinit.exe	32
PID 1316 wrote to memory of 2892	1316	userinit.exe	33
PID 1316 wrote to memory of 2892	1316	userinit.exe	33
PID 1316 wrote to memory of 2892	1316	userinit.exe	33
PID 1316 wrote to memory of 2892	1316	userinit.exe	33
PID 1316 wrote to memory of 2420	1316	userinit.exe	35
PID 1316 wrote to memory of 2420	1316	userinit.exe	35
PID 1316 wrote to memory of 2420	1316	userinit.exe	35
PID 1316 wrote to memory of 2420	1316	userinit.exe	35
PID 1316 wrote to memory of 2804	1316	userinit.exe	36
PID 1316 wrote to memory of 2804	1316	userinit.exe	36
PID 1316 wrote to memory of 2804	1316	userinit.exe	36
PID 1316 wrote to memory of 2804	1316	userinit.exe	36
PID 1316 wrote to memory of 2692	1316	userinit.exe	37
PID 1316 wrote to memory of 2692	1316	userinit.exe	37
PID 1316 wrote to memory of 2692	1316	userinit.exe	37
PID 1316 wrote to memory of 2692	1316	userinit.exe	37
PID 1316 wrote to memory of 264	1316	userinit.exe	38
PID 1316 wrote to memory of 264	1316	userinit.exe	38
PID 1316 wrote to memory of 264	1316	userinit.exe	38
PID 1316 wrote to memory of 264	1316	userinit.exe	38
PID 1316 wrote to memory of 2024	1316	userinit.exe	39
PID 1316 wrote to memory of 2024	1316	userinit.exe	39
PID 1316 wrote to memory of 2024	1316	userinit.exe	39
PID 1316 wrote to memory of 2024	1316	userinit.exe	39
PID 1316 wrote to memory of 2260	1316	userinit.exe	40
PID 1316 wrote to memory of 2260	1316	userinit.exe	40
PID 1316 wrote to memory of 2260	1316	userinit.exe	40
PID 1316 wrote to memory of 2260	1316	userinit.exe	40
PID 1316 wrote to memory of 2696	1316	userinit.exe	41
PID 1316 wrote to memory of 2696	1316	userinit.exe	41
PID 1316 wrote to memory of 2696	1316	userinit.exe	41
PID 1316 wrote to memory of 2696	1316	userinit.exe	41
PID 1316 wrote to memory of 3024	1316	userinit.exe	42
PID 1316 wrote to memory of 3024	1316	userinit.exe	42
PID 1316 wrote to memory of 3024	1316	userinit.exe	42
PID 1316 wrote to memory of 3024	1316	userinit.exe	42
PID 1316 wrote to memory of 1032	1316	userinit.exe	43
PID 1316 wrote to memory of 1032	1316	userinit.exe	43
PID 1316 wrote to memory of 1032	1316	userinit.exe	43
PID 1316 wrote to memory of 1032	1316	userinit.exe	43
PID 1316 wrote to memory of 1764	1316	userinit.exe	44
PID 1316 wrote to memory of 1764	1316	userinit.exe	44
PID 1316 wrote to memory of 1764	1316	userinit.exe	44
PID 1316 wrote to memory of 1764	1316	userinit.exe	44
PID 1316 wrote to memory of 1812	1316	userinit.exe	45
PID 1316 wrote to memory of 1812	1316	userinit.exe	45
PID 1316 wrote to memory of 1812	1316	userinit.exe	45
PID 1316 wrote to memory of 1812	1316	userinit.exe	45
PID 1316 wrote to memory of 2396	1316	userinit.exe	46
PID 1316 wrote to memory of 2396	1316	userinit.exe	46
PID 1316 wrote to memory of 2396	1316	userinit.exe	46
PID 1316 wrote to memory of 2396	1316	userinit.exe	46

C:\Users\Admin\AppData\Local\Temp\aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa22e04e78d0e84fa7d1bbdd6b15388b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
233KB

MD5
aa22e04e78d0e84fa7d1bbdd6b15388b

SHA1
4e66da9e2a67241deb0b8dec02b82822db932dc5

SHA256
2430d040cac8edbdcf457f346ed497f7ebb471e63149869b91625dbb3af32d7e

SHA512
0f43d5e11ee5f199db91c42250c81311089bd105c7432aefdd22a2fd04eca6d6d05afb6fb082d7afa21680c220b66d54528236a770339eb493077b88db065107

Download Submit
memory/264-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/336-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/524-710-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/556-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/876-763-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-522-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-356-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-660-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-1140-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-1020-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-1005-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-98-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-997-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-891-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-118-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-133-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-869-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-388-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-847-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-818-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-789-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-200-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-759-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-748-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-692-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-675-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-75-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-645-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-296-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-630-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-305-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-622-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-314-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-322-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-607-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-331-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-339-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-585-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-397-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-527-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-364-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-379-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-517-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-156-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-510-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-348-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-39-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-420-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-428-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-502-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1316-29-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/1552-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1764-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1932-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2060-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-1112-0x0000000076FF0000-0x000000007710F000-memory.dmp

Filesize
1.1MB

Download
memory/2132-290-0x0000000077110000-0x000000007720A000-memory.dmp

Filesize
1000KB

Download
memory/2132-289-0x0000000076FF0000-0x000000007710F000-memory.dmp

Filesize
1.1MB

Download
memory/2132-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-1114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-754-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-12-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/2716-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-13-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/2804-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-679-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3024-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-687-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download