8d569fd43f00b7e277e5665c781c88252956a542525e9204f05020e800961b62

Analysis

max time kernel
149s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
Size

68KB
MD5

c0630fa486eab503735b48d6b9f50928
SHA1

e1ae200c9ae0966df4dfc23ec74241706f8d8cdd
SHA256

8d569fd43f00b7e277e5665c781c88252956a542525e9204f05020e800961b62
SHA512

c4d45c22dd30787aa0af48e940140fa1c40783e8f514538407d10370889fce39978f0517a592961549974d6ec5cee5b400e8b281d3f307f65b562bab1fcdea46
SSDEEP

768:BnX7Ag5YxnE+O1dh9EBnr5R+9LOZdU1paOFbMNXVlqf1zBmQzTGfmgyqaq:BnXsXEf1dzwnr5R6869yXmf1zwQVgva

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2072	userinit.exe
2776	system.exe
2964	system.exe
2676	system.exe
2760	system.exe
2816	system.exe
2888	system.exe
2152	system.exe
3036	system.exe
2736	system.exe
708	system.exe
1644	system.exe
932	system.exe
1340	system.exe
1052	system.exe
2120	system.exe
800	system.exe
616	system.exe
348	system.exe
112	system.exe
2548	system.exe
264	system.exe
1620	system.exe
1476	system.exe
1980	system.exe
2128	system.exe
1596	system.exe
1272	system.exe
1820	system.exe
2932	system.exe
2764	system.exe
2472	system.exe
2704	system.exe
2680	system.exe
2696	system.exe
2912	system.exe
2112	system.exe
2412	system.exe
3056	system.exe
840	system.exe
2144	system.exe
2716	system.exe
2176	system.exe
1720	system.exe
1040	system.exe
452	system.exe
1632	system.exe
2208	system.exe
1912	system.exe
2444	system.exe
2612	system.exe
488	system.exe
2620	system.exe
1132	system.exe
752	system.exe
1168	system.exe
1968	system.exe
2572	system.exe
2184	system.exe
1584	system.exe
2224	system.exe
2804	system.exe
2160	system.exe
2508	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe
2072	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1820	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
2072	userinit.exe
2072	userinit.exe
2776	system.exe
2072	userinit.exe
2964	system.exe
2072	userinit.exe
2676	system.exe
2072	userinit.exe
2760	system.exe
2072	userinit.exe
2816	system.exe
2072	userinit.exe
2888	system.exe
2072	userinit.exe
2152	system.exe
2072	userinit.exe
3036	system.exe
2072	userinit.exe
2736	system.exe
2072	userinit.exe
708	system.exe
2072	userinit.exe
1644	system.exe
2072	userinit.exe
932	system.exe
2072	userinit.exe
1340	system.exe
2072	userinit.exe
1052	system.exe
2072	userinit.exe
2120	system.exe
2072	userinit.exe
800	system.exe
2072	userinit.exe
616	system.exe
2072	userinit.exe
348	system.exe
2072	userinit.exe
112	system.exe
2072	userinit.exe
2548	system.exe
2072	userinit.exe
264	system.exe
2072	userinit.exe
1620	system.exe
2072	userinit.exe
1476	system.exe
2072	userinit.exe
1980	system.exe
2072	userinit.exe
2128	system.exe
2072	userinit.exe
1596	system.exe
2072	userinit.exe
1272	system.exe
2072	userinit.exe
1820	system.exe
2072	userinit.exe
2932	system.exe
2072	userinit.exe
2764	system.exe
2072	userinit.exe
2472	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1820	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
1820	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
2072	userinit.exe
2072	userinit.exe
2776	system.exe
2776	system.exe
2964	system.exe
2964	system.exe
2676	system.exe
2676	system.exe
2760	system.exe
2760	system.exe
2816	system.exe
2816	system.exe
2888	system.exe
2888	system.exe
2152	system.exe
2152	system.exe
3036	system.exe
3036	system.exe
2736	system.exe
2736	system.exe
708	system.exe
708	system.exe
1644	system.exe
1644	system.exe
932	system.exe
932	system.exe
1340	system.exe
1340	system.exe
1052	system.exe
1052	system.exe
2120	system.exe
2120	system.exe
800	system.exe
800	system.exe
616	system.exe
616	system.exe
348	system.exe
348	system.exe
112	system.exe
112	system.exe
2548	system.exe
2548	system.exe
264	system.exe
264	system.exe
1620	system.exe
1620	system.exe
1476	system.exe
1476	system.exe
1980	system.exe
1980	system.exe
2128	system.exe
2128	system.exe
1596	system.exe
1596	system.exe
1272	system.exe
1272	system.exe
1820	system.exe
1820	system.exe
2932	system.exe
2932	system.exe
2764	system.exe
2764	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2072	1820	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2072	1820	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2072	1820	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2072	1820	c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2776	2072	userinit.exe	30
PID 2072 wrote to memory of 2776	2072	userinit.exe	30
PID 2072 wrote to memory of 2776	2072	userinit.exe	30
PID 2072 wrote to memory of 2776	2072	userinit.exe	30
PID 2072 wrote to memory of 2964	2072	userinit.exe	31
PID 2072 wrote to memory of 2964	2072	userinit.exe	31
PID 2072 wrote to memory of 2964	2072	userinit.exe	31
PID 2072 wrote to memory of 2964	2072	userinit.exe	31
PID 2072 wrote to memory of 2676	2072	userinit.exe	32
PID 2072 wrote to memory of 2676	2072	userinit.exe	32
PID 2072 wrote to memory of 2676	2072	userinit.exe	32
PID 2072 wrote to memory of 2676	2072	userinit.exe	32
PID 2072 wrote to memory of 2760	2072	userinit.exe	33
PID 2072 wrote to memory of 2760	2072	userinit.exe	33
PID 2072 wrote to memory of 2760	2072	userinit.exe	33
PID 2072 wrote to memory of 2760	2072	userinit.exe	33
PID 2072 wrote to memory of 2816	2072	userinit.exe	34
PID 2072 wrote to memory of 2816	2072	userinit.exe	34
PID 2072 wrote to memory of 2816	2072	userinit.exe	34
PID 2072 wrote to memory of 2816	2072	userinit.exe	34
PID 2072 wrote to memory of 2888	2072	userinit.exe	35
PID 2072 wrote to memory of 2888	2072	userinit.exe	35
PID 2072 wrote to memory of 2888	2072	userinit.exe	35
PID 2072 wrote to memory of 2888	2072	userinit.exe	35
PID 2072 wrote to memory of 2152	2072	userinit.exe	36
PID 2072 wrote to memory of 2152	2072	userinit.exe	36
PID 2072 wrote to memory of 2152	2072	userinit.exe	36
PID 2072 wrote to memory of 2152	2072	userinit.exe	36
PID 2072 wrote to memory of 3036	2072	userinit.exe	37
PID 2072 wrote to memory of 3036	2072	userinit.exe	37
PID 2072 wrote to memory of 3036	2072	userinit.exe	37
PID 2072 wrote to memory of 3036	2072	userinit.exe	37
PID 2072 wrote to memory of 2736	2072	userinit.exe	38
PID 2072 wrote to memory of 2736	2072	userinit.exe	38
PID 2072 wrote to memory of 2736	2072	userinit.exe	38
PID 2072 wrote to memory of 2736	2072	userinit.exe	38
PID 2072 wrote to memory of 708	2072	userinit.exe	39
PID 2072 wrote to memory of 708	2072	userinit.exe	39
PID 2072 wrote to memory of 708	2072	userinit.exe	39
PID 2072 wrote to memory of 708	2072	userinit.exe	39
PID 2072 wrote to memory of 1644	2072	userinit.exe	40
PID 2072 wrote to memory of 1644	2072	userinit.exe	40
PID 2072 wrote to memory of 1644	2072	userinit.exe	40
PID 2072 wrote to memory of 1644	2072	userinit.exe	40
PID 2072 wrote to memory of 932	2072	userinit.exe	41
PID 2072 wrote to memory of 932	2072	userinit.exe	41
PID 2072 wrote to memory of 932	2072	userinit.exe	41
PID 2072 wrote to memory of 932	2072	userinit.exe	41
PID 2072 wrote to memory of 1340	2072	userinit.exe	42
PID 2072 wrote to memory of 1340	2072	userinit.exe	42
PID 2072 wrote to memory of 1340	2072	userinit.exe	42
PID 2072 wrote to memory of 1340	2072	userinit.exe	42
PID 2072 wrote to memory of 1052	2072	userinit.exe	43
PID 2072 wrote to memory of 1052	2072	userinit.exe	43
PID 2072 wrote to memory of 1052	2072	userinit.exe	43
PID 2072 wrote to memory of 1052	2072	userinit.exe	43
PID 2072 wrote to memory of 2120	2072	userinit.exe	44
PID 2072 wrote to memory of 2120	2072	userinit.exe	44
PID 2072 wrote to memory of 2120	2072	userinit.exe	44
PID 2072 wrote to memory of 2120	2072	userinit.exe	44

C:\Users\Admin\AppData\Local\Temp\c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0630fa486eab503735b48d6b9f50928_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
68KB

MD5
c0630fa486eab503735b48d6b9f50928

SHA1
e1ae200c9ae0966df4dfc23ec74241706f8d8cdd

SHA256
8d569fd43f00b7e277e5665c781c88252956a542525e9204f05020e800961b62

SHA512
c4d45c22dd30787aa0af48e940140fa1c40783e8f514538407d10370889fce39978f0517a592961549974d6ec5cee5b400e8b281d3f307f65b562bab1fcdea46

Download Submit
memory/112-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/264-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/348-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-776-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/544-838-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/616-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/708-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/752-559-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/932-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-553-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1560-756-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-609-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1644-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-13-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1820-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-14-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1820-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1820-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1912-505-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-579-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-622-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-726-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-143-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-109-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-1305-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-1288-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-96-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-1222-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-200-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-968-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-94-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-959-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-83-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-258-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-853-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-270-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-843-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-295-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-833-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-320-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-329-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-68-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-347-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-396-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-800-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-781-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-424-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-423-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-441-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-458-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-467-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-476-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-485-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-494-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-16-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2072-499-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-504-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-771-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-514-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-531-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-762-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-549-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-58-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-558-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-751-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-569-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-568-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-46-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2072-578-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-592-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-44-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-717-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-647-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-672-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2072-690-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2120-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-498-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-1213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-782-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2260-1074-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2412-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2552-795-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-540-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2676-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-37-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2816-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-101-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-50-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-707-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-712-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download