ee379bdfef5b6f7c67f20c17dff7eeb58ac588cb64839b82d2e9089a89a033ab

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
Size

324KB
MD5

ed9e408758538897b98a27f61eecea9e
SHA1

3f10e4039b357199313ab2ac88e16fdd54987b91
SHA256

ee379bdfef5b6f7c67f20c17dff7eeb58ac588cb64839b82d2e9089a89a033ab
SHA512

ac17ed47a59245d6275fb16a4ac07dafcb29023d9f36fcac24ca75d5184a81a4d76fdae0b65ef477e1b15d287d40799c63aaf1b65766c6cfac260ea7d5330b55
SSDEEP

1536:+Qf1zwQVgUBgHuce/lrQKH4Xqk8fxTOcupRcf1zwQVgv/Y6c+:+w1zwLUBgHuceeKHbk8f7upR81zwLv/

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
1700	userinit.exe
2788	system.exe
2836	system.exe
2844	system.exe
2840	system.exe
2708	system.exe
2648	system.exe
2296	system.exe
1096	system.exe
1668	system.exe
552	system.exe
348	system.exe
1324	system.exe
2936	system.exe
2328	system.exe
2180	system.exe
2920	system.exe
3028	system.exe
1868	system.exe
1664	system.exe
1768	system.exe
3032	system.exe
3064	system.exe
1928	system.exe
868	system.exe
1748	system.exe
2272	system.exe
1960	system.exe
2520	system.exe
1260	system.exe
2288	system.exe
2864	system.exe
2728	system.exe
2212	system.exe
2196	system.exe
2768	system.exe
2628	system.exe
2456	system.exe
2436	system.exe
2812	system.exe
1244	system.exe
1972	system.exe
1688	system.exe
1812	system.exe
1148	system.exe
1300	system.exe
2980	system.exe
2304	system.exe
2984	system.exe
1756	system.exe
2580	system.exe
596	system.exe
2388	system.exe
1060	system.exe
1828	system.exe
912	system.exe
1940	system.exe
1328	system.exe
2076	system.exe
2320	system.exe
1928	system.exe
868	system.exe
1696	system.exe
2272	system.exe

Loads dropped DLL 64 IoCs

pid	Process
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe
1700	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
1700	userinit.exe
1700	userinit.exe
2788	system.exe
1700	userinit.exe
2836	system.exe
1700	userinit.exe
2844	system.exe
1700	userinit.exe
2840	system.exe
1700	userinit.exe
2708	system.exe
1700	userinit.exe
2648	system.exe
1700	userinit.exe
2296	system.exe
1700	userinit.exe
1096	system.exe
1700	userinit.exe
1668	system.exe
1700	userinit.exe
552	system.exe
1700	userinit.exe
348	system.exe
1700	userinit.exe
1324	system.exe
1700	userinit.exe
2936	system.exe
1700	userinit.exe
2328	system.exe
1700	userinit.exe
2180	system.exe
1700	userinit.exe
2920	system.exe
1700	userinit.exe
3028	system.exe
1700	userinit.exe
1868	system.exe
1700	userinit.exe
1664	system.exe
1700	userinit.exe
1768	system.exe
1700	userinit.exe
3032	system.exe
1700	userinit.exe
3064	system.exe
1700	userinit.exe
1928	system.exe
1700	userinit.exe
868	system.exe
1700	userinit.exe
1748	system.exe
1700	userinit.exe
2272	system.exe
1700	userinit.exe
1960	system.exe
1700	userinit.exe
2520	system.exe
1700	userinit.exe
1260	system.exe
1700	userinit.exe
2288	system.exe
1700	userinit.exe
2864	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1700	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2504	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
2504	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
1700	userinit.exe
1700	userinit.exe
2788	system.exe
2788	system.exe
2836	system.exe
2836	system.exe
2844	system.exe
2844	system.exe
2840	system.exe
2840	system.exe
2708	system.exe
2708	system.exe
2648	system.exe
2648	system.exe
2296	system.exe
2296	system.exe
1096	system.exe
1096	system.exe
1668	system.exe
1668	system.exe
552	system.exe
552	system.exe
348	system.exe
348	system.exe
1324	system.exe
1324	system.exe
2936	system.exe
2936	system.exe
2328	system.exe
2328	system.exe
2180	system.exe
2180	system.exe
2920	system.exe
2920	system.exe
3028	system.exe
3028	system.exe
1868	system.exe
1868	system.exe
1664	system.exe
1664	system.exe
1768	system.exe
1768	system.exe
3032	system.exe
3032	system.exe
3064	system.exe
3064	system.exe
1928	system.exe
1928	system.exe
868	system.exe
868	system.exe
1748	system.exe
1748	system.exe
2272	system.exe
2272	system.exe
1960	system.exe
1960	system.exe
2520	system.exe
2520	system.exe
1260	system.exe
1260	system.exe
2288	system.exe
2288	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1700	2504	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1700	2504	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1700	2504	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1700	2504	ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe	30
PID 1700 wrote to memory of 2788	1700	userinit.exe	31
PID 1700 wrote to memory of 2788	1700	userinit.exe	31
PID 1700 wrote to memory of 2788	1700	userinit.exe	31
PID 1700 wrote to memory of 2788	1700	userinit.exe	31
PID 1700 wrote to memory of 2836	1700	userinit.exe	32
PID 1700 wrote to memory of 2836	1700	userinit.exe	32
PID 1700 wrote to memory of 2836	1700	userinit.exe	32
PID 1700 wrote to memory of 2836	1700	userinit.exe	32
PID 1700 wrote to memory of 2844	1700	userinit.exe	33
PID 1700 wrote to memory of 2844	1700	userinit.exe	33
PID 1700 wrote to memory of 2844	1700	userinit.exe	33
PID 1700 wrote to memory of 2844	1700	userinit.exe	33
PID 1700 wrote to memory of 2840	1700	userinit.exe	34
PID 1700 wrote to memory of 2840	1700	userinit.exe	34
PID 1700 wrote to memory of 2840	1700	userinit.exe	34
PID 1700 wrote to memory of 2840	1700	userinit.exe	34
PID 1700 wrote to memory of 2708	1700	userinit.exe	35
PID 1700 wrote to memory of 2708	1700	userinit.exe	35
PID 1700 wrote to memory of 2708	1700	userinit.exe	35
PID 1700 wrote to memory of 2708	1700	userinit.exe	35
PID 1700 wrote to memory of 2648	1700	userinit.exe	36
PID 1700 wrote to memory of 2648	1700	userinit.exe	36
PID 1700 wrote to memory of 2648	1700	userinit.exe	36
PID 1700 wrote to memory of 2648	1700	userinit.exe	36
PID 1700 wrote to memory of 2296	1700	userinit.exe	37
PID 1700 wrote to memory of 2296	1700	userinit.exe	37
PID 1700 wrote to memory of 2296	1700	userinit.exe	37
PID 1700 wrote to memory of 2296	1700	userinit.exe	37
PID 1700 wrote to memory of 1096	1700	userinit.exe	38
PID 1700 wrote to memory of 1096	1700	userinit.exe	38
PID 1700 wrote to memory of 1096	1700	userinit.exe	38
PID 1700 wrote to memory of 1096	1700	userinit.exe	38
PID 1700 wrote to memory of 1668	1700	userinit.exe	39
PID 1700 wrote to memory of 1668	1700	userinit.exe	39
PID 1700 wrote to memory of 1668	1700	userinit.exe	39
PID 1700 wrote to memory of 1668	1700	userinit.exe	39
PID 1700 wrote to memory of 552	1700	userinit.exe	40
PID 1700 wrote to memory of 552	1700	userinit.exe	40
PID 1700 wrote to memory of 552	1700	userinit.exe	40
PID 1700 wrote to memory of 552	1700	userinit.exe	40
PID 1700 wrote to memory of 348	1700	userinit.exe	42
PID 1700 wrote to memory of 348	1700	userinit.exe	42
PID 1700 wrote to memory of 348	1700	userinit.exe	42
PID 1700 wrote to memory of 348	1700	userinit.exe	42
PID 1700 wrote to memory of 1324	1700	userinit.exe	43
PID 1700 wrote to memory of 1324	1700	userinit.exe	43
PID 1700 wrote to memory of 1324	1700	userinit.exe	43
PID 1700 wrote to memory of 1324	1700	userinit.exe	43
PID 1700 wrote to memory of 2936	1700	userinit.exe	44
PID 1700 wrote to memory of 2936	1700	userinit.exe	44
PID 1700 wrote to memory of 2936	1700	userinit.exe	44
PID 1700 wrote to memory of 2936	1700	userinit.exe	44
PID 1700 wrote to memory of 2328	1700	userinit.exe	45
PID 1700 wrote to memory of 2328	1700	userinit.exe	45
PID 1700 wrote to memory of 2328	1700	userinit.exe	45
PID 1700 wrote to memory of 2328	1700	userinit.exe	45
PID 1700 wrote to memory of 2180	1700	userinit.exe	46
PID 1700 wrote to memory of 2180	1700	userinit.exe	46
PID 1700 wrote to memory of 2180	1700	userinit.exe	46
PID 1700 wrote to memory of 2180	1700	userinit.exe	46

C:\Users\Admin\AppData\Local\Temp\ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed9e408758538897b98a27f61eecea9e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
324KB

MD5
ed9e408758538897b98a27f61eecea9e

SHA1
3f10e4039b357199313ab2ac88e16fdd54987b91

SHA256
ee379bdfef5b6f7c67f20c17dff7eeb58ac588cb64839b82d2e9089a89a033ab

SHA512
ac17ed47a59245d6275fb16a4ac07dafcb29023d9f36fcac24ca75d5184a81a4d76fdae0b65ef477e1b15d287d40799c63aaf1b65766c6cfac260ea7d5330b55

Download Submit
memory/912-507-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1324-154-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1328-523-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1664-229-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1668-123-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1688-411-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1700-580-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-671-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-63-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-870-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-848-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-86-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-840-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-407-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-825-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-817-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-14-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1700-588-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-767-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-475-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-392-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-232-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1700-745-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-695-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-263-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-264-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-603-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-612-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-416-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-642-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-687-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-679-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-536-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-377-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1700-544-0x00000000025D0000-0x0000000002621000-memory.dmp

Filesize
324KB

Download
memory/1748-283-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1868-218-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1928-268-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1940-515-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2076-531-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2180-186-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2272-291-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2288-320-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2296-102-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2328-175-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2456-372-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2504-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2504-13-0x0000000000360000-0x00000000003B1000-memory.dmp

Filesize
324KB

Download
memory/2504-12-0x0000000000360000-0x00000000003B1000-memory.dmp

Filesize
324KB

Download
memory/2504-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2580-470-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2600-630-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-364-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2648-91-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2708-79-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2720-874-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2768-356-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2788-34-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-45-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2840-68-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2844-56-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2876-607-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2980-441-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3028-207-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3064-256-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3064-258-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download