679d48b6e916c79d5c3577e3fee64eea36b894b926c877189d360b24783dde72

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe
Size

71KB
MD5

b06dcc6b8515f954327b1bb594055ff3
SHA1

8a9d7b73f9446c7f4a1cd24740d687080ca88993
SHA256

679d48b6e916c79d5c3577e3fee64eea36b894b926c877189d360b24783dde72
SHA512

013569b3baacea2497c160a5106be90c1dd0ce611264f79975539e8a35bbe9e1c7ed790a4739464e44056ace273a1376edec142918e7615d0d04e8c952f04626
SSDEEP

768:eSyCk0yiLw6K7njb5Vf0XghCF7RlH5sf1zBmQzTGfmgyq/4U:tkViCnoXghCF7PHWf1zwQVgv/F

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
3028	userinit.exe
2152	system.exe
2644	system.exe
2900	system.exe
2820	system.exe
2556	system.exe
1296	system.exe
1744	system.exe
2668	system.exe
1424	system.exe
1656	system.exe
1204	system.exe
2084	system.exe
2012	system.exe
2428	system.exe
572	system.exe
1548	system.exe
2868	system.exe
1676	system.exe
2232	system.exe
1484	system.exe
2420	system.exe
684	system.exe
856	system.exe
2356	system.exe
3020	system.exe
2948	system.exe
2708	system.exe
2696	system.exe
2736	system.exe
2880	system.exe
2440	system.exe
2512	system.exe
2996	system.exe
1696	system.exe
1504	system.exe
1028	system.exe
912	system.exe
2812	system.exe
808	system.exe
1240	system.exe
2180	system.exe
612	system.exe
2064	system.exe
1288	system.exe
2924	system.exe
536	system.exe
1036	system.exe
1360	system.exe
1540	system.exe
1580	system.exe
2300	system.exe
1040	system.exe
1772	system.exe
2284	system.exe
2256	system.exe
1592	system.exe
2272	system.exe
2680	system.exe
2640	system.exe
2904	system.exe
2644	system.exe
2860	system.exe
1912	system.exe

Loads dropped DLL 64 IoCs

pid	Process
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe
3028	userinit.exe
3028	userinit.exe
2152	system.exe
3028	userinit.exe
2644	system.exe
3028	userinit.exe
2900	system.exe
3028	userinit.exe
2820	system.exe
3028	userinit.exe
2556	system.exe
3028	userinit.exe
1296	system.exe
3028	userinit.exe
1744	system.exe
3028	userinit.exe
2668	system.exe
3028	userinit.exe
1424	system.exe
3028	userinit.exe
1656	system.exe
3028	userinit.exe
1204	system.exe
3028	userinit.exe
2084	system.exe
3028	userinit.exe
2012	system.exe
3028	userinit.exe
2428	system.exe
3028	userinit.exe
572	system.exe
3028	userinit.exe
1548	system.exe
3028	userinit.exe
2868	system.exe
3028	userinit.exe
1676	system.exe
3028	userinit.exe
2232	system.exe
3028	userinit.exe
1484	system.exe
3028	userinit.exe
2420	system.exe
3028	userinit.exe
684	system.exe
3028	userinit.exe
856	system.exe
3028	userinit.exe
2356	system.exe
3028	userinit.exe
3020	system.exe
3028	userinit.exe
2948	system.exe
3028	userinit.exe
2708	system.exe
3028	userinit.exe
2696	system.exe
3028	userinit.exe
2736	system.exe
3028	userinit.exe
2880	system.exe
3028	userinit.exe
2440	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3028	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2236	b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe
2236	b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe
3028	userinit.exe
3028	userinit.exe
2152	system.exe
2152	system.exe
2644	system.exe
2644	system.exe
2900	system.exe
2900	system.exe
2820	system.exe
2820	system.exe
2556	system.exe
2556	system.exe
1296	system.exe
1296	system.exe
1744	system.exe
1744	system.exe
2668	system.exe
2668	system.exe
1424	system.exe
1424	system.exe
1656	system.exe
1656	system.exe
1204	system.exe
1204	system.exe
2084	system.exe
2084	system.exe
2012	system.exe
2012	system.exe
2428	system.exe
2428	system.exe
572	system.exe
572	system.exe
1548	system.exe
1548	system.exe
2868	system.exe
2868	system.exe
1676	system.exe
1676	system.exe
2232	system.exe
2232	system.exe
1484	system.exe
1484	system.exe
2420	system.exe
2420	system.exe
684	system.exe
684	system.exe
856	system.exe
856	system.exe
2356	system.exe
2356	system.exe
3020	system.exe
3020	system.exe
2948	system.exe
2948	system.exe
2708	system.exe
2708	system.exe
2696	system.exe
2696	system.exe
2736	system.exe
2736	system.exe
2880	system.exe
2880	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3028	2236	b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe	30
PID 2236 wrote to memory of 3028	2236	b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe	30
PID 2236 wrote to memory of 3028	2236	b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe	30
PID 2236 wrote to memory of 3028	2236	b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2152	3028	userinit.exe	31
PID 3028 wrote to memory of 2152	3028	userinit.exe	31
PID 3028 wrote to memory of 2152	3028	userinit.exe	31
PID 3028 wrote to memory of 2152	3028	userinit.exe	31
PID 3028 wrote to memory of 2644	3028	userinit.exe	32
PID 3028 wrote to memory of 2644	3028	userinit.exe	32
PID 3028 wrote to memory of 2644	3028	userinit.exe	32
PID 3028 wrote to memory of 2644	3028	userinit.exe	32
PID 3028 wrote to memory of 2900	3028	userinit.exe	33
PID 3028 wrote to memory of 2900	3028	userinit.exe	33
PID 3028 wrote to memory of 2900	3028	userinit.exe	33
PID 3028 wrote to memory of 2900	3028	userinit.exe	33
PID 3028 wrote to memory of 2820	3028	userinit.exe	34
PID 3028 wrote to memory of 2820	3028	userinit.exe	34
PID 3028 wrote to memory of 2820	3028	userinit.exe	34
PID 3028 wrote to memory of 2820	3028	userinit.exe	34
PID 3028 wrote to memory of 2556	3028	userinit.exe	35
PID 3028 wrote to memory of 2556	3028	userinit.exe	35
PID 3028 wrote to memory of 2556	3028	userinit.exe	35
PID 3028 wrote to memory of 2556	3028	userinit.exe	35
PID 3028 wrote to memory of 1296	3028	userinit.exe	36
PID 3028 wrote to memory of 1296	3028	userinit.exe	36
PID 3028 wrote to memory of 1296	3028	userinit.exe	36
PID 3028 wrote to memory of 1296	3028	userinit.exe	36
PID 3028 wrote to memory of 1744	3028	userinit.exe	37
PID 3028 wrote to memory of 1744	3028	userinit.exe	37
PID 3028 wrote to memory of 1744	3028	userinit.exe	37
PID 3028 wrote to memory of 1744	3028	userinit.exe	37
PID 3028 wrote to memory of 2668	3028	userinit.exe	38
PID 3028 wrote to memory of 2668	3028	userinit.exe	38
PID 3028 wrote to memory of 2668	3028	userinit.exe	38
PID 3028 wrote to memory of 2668	3028	userinit.exe	38
PID 3028 wrote to memory of 1424	3028	userinit.exe	39
PID 3028 wrote to memory of 1424	3028	userinit.exe	39
PID 3028 wrote to memory of 1424	3028	userinit.exe	39
PID 3028 wrote to memory of 1424	3028	userinit.exe	39
PID 3028 wrote to memory of 1656	3028	userinit.exe	40
PID 3028 wrote to memory of 1656	3028	userinit.exe	40
PID 3028 wrote to memory of 1656	3028	userinit.exe	40
PID 3028 wrote to memory of 1656	3028	userinit.exe	40
PID 3028 wrote to memory of 1204	3028	userinit.exe	41
PID 3028 wrote to memory of 1204	3028	userinit.exe	41
PID 3028 wrote to memory of 1204	3028	userinit.exe	41
PID 3028 wrote to memory of 1204	3028	userinit.exe	41
PID 3028 wrote to memory of 2084	3028	userinit.exe	42
PID 3028 wrote to memory of 2084	3028	userinit.exe	42
PID 3028 wrote to memory of 2084	3028	userinit.exe	42
PID 3028 wrote to memory of 2084	3028	userinit.exe	42
PID 3028 wrote to memory of 2012	3028	userinit.exe	43
PID 3028 wrote to memory of 2012	3028	userinit.exe	43
PID 3028 wrote to memory of 2012	3028	userinit.exe	43
PID 3028 wrote to memory of 2012	3028	userinit.exe	43
PID 3028 wrote to memory of 2428	3028	userinit.exe	44
PID 3028 wrote to memory of 2428	3028	userinit.exe	44
PID 3028 wrote to memory of 2428	3028	userinit.exe	44
PID 3028 wrote to memory of 2428	3028	userinit.exe	44
PID 3028 wrote to memory of 572	3028	userinit.exe	45
PID 3028 wrote to memory of 572	3028	userinit.exe	45
PID 3028 wrote to memory of 572	3028	userinit.exe	45
PID 3028 wrote to memory of 572	3028	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b06dcc6b8515f954327b1bb594055ff3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
71KB

MD5
b06dcc6b8515f954327b1bb594055ff3

SHA1
8a9d7b73f9446c7f4a1cd24740d687080ca88993

SHA256
679d48b6e916c79d5c3577e3fee64eea36b894b926c877189d360b24783dde72

SHA512
013569b3baacea2497c160a5106be90c1dd0ce611264f79975539e8a35bbe9e1c7ed790a4739464e44056ace273a1376edec142918e7615d0d04e8c952f04626

Download Submit
memory/684-291-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/748-733-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/808-450-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/816-858-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/824-690-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/856-301-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/912-430-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/948-808-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/952-782-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1028-707-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1028-424-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1036-519-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1040-565-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1040-561-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1204-170-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1204-165-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1240-461-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1296-107-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1424-145-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1548-228-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1584-893-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1676-251-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1696-401-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1696-405-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1744-119-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1772-571-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2012-194-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2084-183-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-38-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-39-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2180-468-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2232-262-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2236-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2236-13-0x0000000000390000-0x00000000003EA000-memory.dmp

Filesize
360KB

Download
memory/2236-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2236-21-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2284-584-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2284-580-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2356-310-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2356-314-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2420-286-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2428-205-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2440-376-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2452-920-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2556-95-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2556-94-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2644-47-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2644-52-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-131-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2736-358-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2812-442-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2820-77-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2820-76-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2820-81-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2900-63-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2900-62-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2900-67-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2948-328-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2996-390-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2996-395-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3020-319-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3028-89-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-613-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-411-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-178-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-429-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-153-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-240-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3028-447-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-140-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-132-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3028-126-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-467-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-466-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-489-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3028-502-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-102-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-300-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-560-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-269-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3028-566-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3028-75-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-400-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-389-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-410-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3028-630-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-656-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-665-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-281-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-371-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-333-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3028-61-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-48-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3028-817-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-826-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-835-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-844-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-853-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-33-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-863-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-873-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-872-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-883-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-892-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-14-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3028-903-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-902-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/3028-15-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download