0ef0aaa64b2f013d6acddbed59684558bc5f34855159cbc12c098cc4072f45b8

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
Size

746KB
MD5

d1c10ac6988580a48b5a4b0ff4ec1298
SHA1

bc780cb6a81a9eea7e64dc0df9c865ab720f84b8
SHA256

0ef0aaa64b2f013d6acddbed59684558bc5f34855159cbc12c098cc4072f45b8
SHA512

95b050bd72dea6758c9c77e52536c8bb10e8de03ff99e9c89044b6f456d8e3795b47f514c69f7681dd1743b8b3200eb3818945e2d8c4d9594e497b86af72797f
SSDEEP

12288:gvehvlYuXb6cK4QJrr186amIWge+RCQdyIMA65xb/T+ZXmwWE43LY/g5Bx:gvehviuXbZKXJrr186amIWgVRFyIMX5F

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2784	userinit.exe
2668	system.exe
2592	system.exe
2612	system.exe
2996	system.exe
3004	system.exe
1172	system.exe
1840	system.exe
1884	system.exe
2752	system.exe
532	system.exe
1828	system.exe
2924	system.exe
2236	system.exe
2220	system.exe
1708	system.exe
2504	system.exe
2212	system.exe
1240	system.exe
616	system.exe
1456	system.exe
2248	system.exe
2384	system.exe
2276	system.exe
2692	system.exe
1948	system.exe
2816	system.exe
2748	system.exe
2856	system.exe
2592	system.exe
2720	system.exe
2560	system.exe
2012	system.exe
2644	system.exe
2608	system.exe
1624	system.exe
1840	system.exe
1324	system.exe
2840	system.exe
2616	system.exe
1928	system.exe
1568	system.exe
2096	system.exe
2920	system.exe
2216	system.exe
2224	system.exe
700	system.exe
236	system.exe
464	system.exe
1740	system.exe
1784	system.exe
796	system.exe
2300	system.exe
2896	system.exe
2340	system.exe
1016	system.exe
1200	system.exe
2776	system.exe
2908	system.exe
2820	system.exe
2580	system.exe
2564	system.exe
1004	system.exe
2992	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
2784	userinit.exe
2784	userinit.exe
2668	system.exe
2784	userinit.exe
2592	system.exe
2784	userinit.exe
2612	system.exe
2784	userinit.exe
2996	system.exe
2784	userinit.exe
3004	system.exe
2784	userinit.exe
1172	system.exe
2784	userinit.exe
1840	system.exe
2784	userinit.exe
1884	system.exe
2784	userinit.exe
2752	system.exe
2784	userinit.exe
532	system.exe
2784	userinit.exe
1828	system.exe
2784	userinit.exe
2924	system.exe
2784	userinit.exe
2236	system.exe
2784	userinit.exe
2220	system.exe
2784	userinit.exe
1708	system.exe
2784	userinit.exe
2504	system.exe
2784	userinit.exe
2212	system.exe
2784	userinit.exe
1240	system.exe
2784	userinit.exe
616	system.exe
2784	userinit.exe
1456	system.exe
2784	userinit.exe
2248	system.exe
2784	userinit.exe
2384	system.exe
2784	userinit.exe
2276	system.exe
2784	userinit.exe
2692	system.exe
2784	userinit.exe
1948	system.exe
2784	userinit.exe
2816	system.exe
2784	userinit.exe
2748	system.exe
2784	userinit.exe
2856	system.exe
2784	userinit.exe
2592	system.exe
2784	userinit.exe
2720	system.exe
2784	userinit.exe
2560	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2268	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
2268	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
2784	userinit.exe
2784	userinit.exe
2668	system.exe
2668	system.exe
2592	system.exe
2592	system.exe
2612	system.exe
2612	system.exe
2996	system.exe
2996	system.exe
3004	system.exe
3004	system.exe
1172	system.exe
1172	system.exe
1840	system.exe
1840	system.exe
1884	system.exe
1884	system.exe
2752	system.exe
2752	system.exe
532	system.exe
532	system.exe
1828	system.exe
1828	system.exe
2924	system.exe
2924	system.exe
2236	system.exe
2236	system.exe
2220	system.exe
2220	system.exe
1708	system.exe
1708	system.exe
2504	system.exe
2504	system.exe
2212	system.exe
2212	system.exe
1240	system.exe
1240	system.exe
616	system.exe
616	system.exe
1456	system.exe
1456	system.exe
2248	system.exe
2248	system.exe
2384	system.exe
2384	system.exe
2276	system.exe
2276	system.exe
2692	system.exe
2692	system.exe
1948	system.exe
1948	system.exe
2816	system.exe
2816	system.exe
2748	system.exe
2748	system.exe
2856	system.exe
2856	system.exe
2592	system.exe
2592	system.exe
2720	system.exe
2720	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2784	2268	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2784	2268	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2784	2268	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2784	2268	d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2668	2784	userinit.exe	31
PID 2784 wrote to memory of 2668	2784	userinit.exe	31
PID 2784 wrote to memory of 2668	2784	userinit.exe	31
PID 2784 wrote to memory of 2668	2784	userinit.exe	31
PID 2784 wrote to memory of 2592	2784	userinit.exe	32
PID 2784 wrote to memory of 2592	2784	userinit.exe	32
PID 2784 wrote to memory of 2592	2784	userinit.exe	32
PID 2784 wrote to memory of 2592	2784	userinit.exe	32
PID 2784 wrote to memory of 2612	2784	userinit.exe	33
PID 2784 wrote to memory of 2612	2784	userinit.exe	33
PID 2784 wrote to memory of 2612	2784	userinit.exe	33
PID 2784 wrote to memory of 2612	2784	userinit.exe	33
PID 2784 wrote to memory of 2996	2784	userinit.exe	34
PID 2784 wrote to memory of 2996	2784	userinit.exe	34
PID 2784 wrote to memory of 2996	2784	userinit.exe	34
PID 2784 wrote to memory of 2996	2784	userinit.exe	34
PID 2784 wrote to memory of 3004	2784	userinit.exe	35
PID 2784 wrote to memory of 3004	2784	userinit.exe	35
PID 2784 wrote to memory of 3004	2784	userinit.exe	35
PID 2784 wrote to memory of 3004	2784	userinit.exe	35
PID 2784 wrote to memory of 1172	2784	userinit.exe	36
PID 2784 wrote to memory of 1172	2784	userinit.exe	36
PID 2784 wrote to memory of 1172	2784	userinit.exe	36
PID 2784 wrote to memory of 1172	2784	userinit.exe	36
PID 2784 wrote to memory of 1840	2784	userinit.exe	37
PID 2784 wrote to memory of 1840	2784	userinit.exe	37
PID 2784 wrote to memory of 1840	2784	userinit.exe	37
PID 2784 wrote to memory of 1840	2784	userinit.exe	37
PID 2784 wrote to memory of 1884	2784	userinit.exe	38
PID 2784 wrote to memory of 1884	2784	userinit.exe	38
PID 2784 wrote to memory of 1884	2784	userinit.exe	38
PID 2784 wrote to memory of 1884	2784	userinit.exe	38
PID 2784 wrote to memory of 2752	2784	userinit.exe	39
PID 2784 wrote to memory of 2752	2784	userinit.exe	39
PID 2784 wrote to memory of 2752	2784	userinit.exe	39
PID 2784 wrote to memory of 2752	2784	userinit.exe	39
PID 2784 wrote to memory of 532	2784	userinit.exe	40
PID 2784 wrote to memory of 532	2784	userinit.exe	40
PID 2784 wrote to memory of 532	2784	userinit.exe	40
PID 2784 wrote to memory of 532	2784	userinit.exe	40
PID 2784 wrote to memory of 1828	2784	userinit.exe	41
PID 2784 wrote to memory of 1828	2784	userinit.exe	41
PID 2784 wrote to memory of 1828	2784	userinit.exe	41
PID 2784 wrote to memory of 1828	2784	userinit.exe	41
PID 2784 wrote to memory of 2924	2784	userinit.exe	42
PID 2784 wrote to memory of 2924	2784	userinit.exe	42
PID 2784 wrote to memory of 2924	2784	userinit.exe	42
PID 2784 wrote to memory of 2924	2784	userinit.exe	42
PID 2784 wrote to memory of 2236	2784	userinit.exe	43
PID 2784 wrote to memory of 2236	2784	userinit.exe	43
PID 2784 wrote to memory of 2236	2784	userinit.exe	43
PID 2784 wrote to memory of 2236	2784	userinit.exe	43
PID 2784 wrote to memory of 2220	2784	userinit.exe	44
PID 2784 wrote to memory of 2220	2784	userinit.exe	44
PID 2784 wrote to memory of 2220	2784	userinit.exe	44
PID 2784 wrote to memory of 2220	2784	userinit.exe	44
PID 2784 wrote to memory of 1708	2784	userinit.exe	45
PID 2784 wrote to memory of 1708	2784	userinit.exe	45
PID 2784 wrote to memory of 1708	2784	userinit.exe	45
PID 2784 wrote to memory of 1708	2784	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1c10ac6988580a48b5a4b0ff4ec1298_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
746KB

MD5
d1c10ac6988580a48b5a4b0ff4ec1298

SHA1
bc780cb6a81a9eea7e64dc0df9c865ab720f84b8

SHA256
0ef0aaa64b2f013d6acddbed59684558bc5f34855159cbc12c098cc4072f45b8

SHA512
95b050bd72dea6758c9c77e52536c8bb10e8de03ff99e9c89044b6f456d8e3795b47f514c69f7681dd1743b8b3200eb3818945e2d8c4d9594e497b86af72797f

Download Submit
memory/532-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/796-539-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1172-99-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1172-95-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1200-582-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1324-416-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1348-724-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1568-454-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1624-402-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1708-211-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1740-522-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1884-123-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-320-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2096-461-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2096-466-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2212-236-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2220-198-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2236-185-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2248-286-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2268-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2268-19-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2268-20-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2268-13-0x0000000002EA0000-0x0000000002EF8000-memory.dmp

Filesize
352KB

Download
memory/2268-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2276-304-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2292-688-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2292-683-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2384-296-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2504-224-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-353-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-49-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2612-62-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-434-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2644-386-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2668-37-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2668-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2692-312-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2748-336-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-137-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-133-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2776-592-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-144-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-581-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-255-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-270-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-282-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-281-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-257-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-291-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-237-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-231-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-218-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-219-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-205-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-337-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-938-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-192-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-382-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-920-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-169-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-411-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-157-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-921-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-433-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-131-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-124-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-106-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-460-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-459-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-107-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-471-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-910-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-496-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-876-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-867-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-576-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-809-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-256-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-591-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-69-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-601-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-611-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-610-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-620-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-637-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-800-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-672-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-673-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-682-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-57-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-52-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-693-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-701-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-719-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-21-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-755-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-754-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-764-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-773-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-783-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2784-782-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2840-428-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2856-345-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2904-901-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2920-475-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2924-174-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2992-646-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2996-75-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3004-86-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3004-87-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download