61770d77a7db2f20d24636cb65ce4a731721457b3d6732edd53a7e1ba904c797

Analysis

max time kernel
149s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe
Size

284KB
MD5

eec674b56f65dac447d1d29030ffdeef
SHA1

b2fbc0defef8d4dac82276ea6e26c51a3be419a0
SHA256

61770d77a7db2f20d24636cb65ce4a731721457b3d6732edd53a7e1ba904c797
SHA512

33ddfff215b66d6b8007edcf3507f0378700fcd6eb82de2cee7af043f4a526ac55a52a966df36364befc6d203dbc174e16889f925df62c10b52d929d1fa68d67
SSDEEP

1536:pvf1zwQVgdYYuAXyeHl0BTFXEqkEgOUXhQp1of1zwQVgvKa60+:pn1zwLyYuAXyeaTFbkEg1Qp1o1zwLvK

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2784	userinit.exe
2552	system.exe
2660	system.exe
2596	system.exe
2496	system.exe
408	system.exe
1360	system.exe
2932	system.exe
2908	system.exe
2584	system.exe
2856	system.exe
2184	system.exe
1732	system.exe
1816	system.exe
1280	system.exe
1216	system.exe
2100	system.exe
1344	system.exe
948	system.exe
832	system.exe
1724	system.exe
1864	system.exe
1812	system.exe
2396	system.exe
2104	system.exe
344	system.exe
1744	system.exe
2448	system.exe
2800	system.exe
2804	system.exe
2760	system.exe
2572	system.exe
1496	system.exe
2588	system.exe
2596	system.exe
1416	system.exe
1060	system.exe
992	system.exe
1916	system.exe
2160	system.exe
2064	system.exe
2140	system.exe
3012	system.exe
2164	system.exe
2312	system.exe
2028	system.exe
3052	system.exe
2148	system.exe
2956	system.exe
2988	system.exe
1608	system.exe
2436	system.exe
1932	system.exe
916	system.exe
2120	system.exe
1632	system.exe
1644	system.exe
2768	system.exe
1944	system.exe
688	system.exe
2912	system.exe
2736	system.exe
2780	system.exe
2208	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe
2784	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe
2784	userinit.exe
2784	userinit.exe
2552	system.exe
2784	userinit.exe
2660	system.exe
2784	userinit.exe
2596	system.exe
2784	userinit.exe
2496	system.exe
2784	userinit.exe
408	system.exe
2784	userinit.exe
1360	system.exe
2784	userinit.exe
2932	system.exe
2784	userinit.exe
2908	system.exe
2784	userinit.exe
2584	system.exe
2784	userinit.exe
2856	system.exe
2784	userinit.exe
2184	system.exe
2784	userinit.exe
1732	system.exe
2784	userinit.exe
1816	system.exe
2784	userinit.exe
1280	system.exe
2784	userinit.exe
1216	system.exe
2784	userinit.exe
2100	system.exe
2784	userinit.exe
1344	system.exe
2784	userinit.exe
948	system.exe
2784	userinit.exe
832	system.exe
2784	userinit.exe
1724	system.exe
2784	userinit.exe
1864	system.exe
2784	userinit.exe
1812	system.exe
2784	userinit.exe
2396	system.exe
2784	userinit.exe
2104	system.exe
2784	userinit.exe
344	system.exe
2784	userinit.exe
1744	system.exe
2784	userinit.exe
2448	system.exe
2784	userinit.exe
2800	system.exe
2784	userinit.exe
2804	system.exe
2784	userinit.exe
2760	system.exe
2784	userinit.exe
2572	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2372	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe
2372	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe
2784	userinit.exe
2784	userinit.exe
2552	system.exe
2552	system.exe
2660	system.exe
2660	system.exe
2596	system.exe
2596	system.exe
2496	system.exe
2496	system.exe
408	system.exe
408	system.exe
1360	system.exe
1360	system.exe
2932	system.exe
2932	system.exe
2908	system.exe
2908	system.exe
2584	system.exe
2584	system.exe
2856	system.exe
2856	system.exe
2184	system.exe
2184	system.exe
1732	system.exe
1732	system.exe
1816	system.exe
1816	system.exe
1280	system.exe
1280	system.exe
1216	system.exe
1216	system.exe
2100	system.exe
2100	system.exe
1344	system.exe
1344	system.exe
948	system.exe
948	system.exe
832	system.exe
832	system.exe
1724	system.exe
1724	system.exe
1864	system.exe
1864	system.exe
1812	system.exe
1812	system.exe
2396	system.exe
2396	system.exe
2104	system.exe
2104	system.exe
344	system.exe
344	system.exe
1744	system.exe
1744	system.exe
2448	system.exe
2448	system.exe
2800	system.exe
2800	system.exe
2804	system.exe
2804	system.exe
2760	system.exe
2760	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2784	2372	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2784	2372	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2784	2372	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2784	2372	eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2552	2784	userinit.exe	31
PID 2784 wrote to memory of 2552	2784	userinit.exe	31
PID 2784 wrote to memory of 2552	2784	userinit.exe	31
PID 2784 wrote to memory of 2552	2784	userinit.exe	31
PID 2784 wrote to memory of 2660	2784	userinit.exe	32
PID 2784 wrote to memory of 2660	2784	userinit.exe	32
PID 2784 wrote to memory of 2660	2784	userinit.exe	32
PID 2784 wrote to memory of 2660	2784	userinit.exe	32
PID 2784 wrote to memory of 2596	2784	userinit.exe	33
PID 2784 wrote to memory of 2596	2784	userinit.exe	33
PID 2784 wrote to memory of 2596	2784	userinit.exe	33
PID 2784 wrote to memory of 2596	2784	userinit.exe	33
PID 2784 wrote to memory of 2496	2784	userinit.exe	34
PID 2784 wrote to memory of 2496	2784	userinit.exe	34
PID 2784 wrote to memory of 2496	2784	userinit.exe	34
PID 2784 wrote to memory of 2496	2784	userinit.exe	34
PID 2784 wrote to memory of 408	2784	userinit.exe	35
PID 2784 wrote to memory of 408	2784	userinit.exe	35
PID 2784 wrote to memory of 408	2784	userinit.exe	35
PID 2784 wrote to memory of 408	2784	userinit.exe	35
PID 2784 wrote to memory of 1360	2784	userinit.exe	36
PID 2784 wrote to memory of 1360	2784	userinit.exe	36
PID 2784 wrote to memory of 1360	2784	userinit.exe	36
PID 2784 wrote to memory of 1360	2784	userinit.exe	36
PID 2784 wrote to memory of 2932	2784	userinit.exe	37
PID 2784 wrote to memory of 2932	2784	userinit.exe	37
PID 2784 wrote to memory of 2932	2784	userinit.exe	37
PID 2784 wrote to memory of 2932	2784	userinit.exe	37
PID 2784 wrote to memory of 2908	2784	userinit.exe	38
PID 2784 wrote to memory of 2908	2784	userinit.exe	38
PID 2784 wrote to memory of 2908	2784	userinit.exe	38
PID 2784 wrote to memory of 2908	2784	userinit.exe	38
PID 2784 wrote to memory of 2584	2784	userinit.exe	39
PID 2784 wrote to memory of 2584	2784	userinit.exe	39
PID 2784 wrote to memory of 2584	2784	userinit.exe	39
PID 2784 wrote to memory of 2584	2784	userinit.exe	39
PID 2784 wrote to memory of 2856	2784	userinit.exe	40
PID 2784 wrote to memory of 2856	2784	userinit.exe	40
PID 2784 wrote to memory of 2856	2784	userinit.exe	40
PID 2784 wrote to memory of 2856	2784	userinit.exe	40
PID 2784 wrote to memory of 2184	2784	userinit.exe	41
PID 2784 wrote to memory of 2184	2784	userinit.exe	41
PID 2784 wrote to memory of 2184	2784	userinit.exe	41
PID 2784 wrote to memory of 2184	2784	userinit.exe	41
PID 2784 wrote to memory of 1732	2784	userinit.exe	42
PID 2784 wrote to memory of 1732	2784	userinit.exe	42
PID 2784 wrote to memory of 1732	2784	userinit.exe	42
PID 2784 wrote to memory of 1732	2784	userinit.exe	42
PID 2784 wrote to memory of 1816	2784	userinit.exe	43
PID 2784 wrote to memory of 1816	2784	userinit.exe	43
PID 2784 wrote to memory of 1816	2784	userinit.exe	43
PID 2784 wrote to memory of 1816	2784	userinit.exe	43
PID 2784 wrote to memory of 1280	2784	userinit.exe	44
PID 2784 wrote to memory of 1280	2784	userinit.exe	44
PID 2784 wrote to memory of 1280	2784	userinit.exe	44
PID 2784 wrote to memory of 1280	2784	userinit.exe	44
PID 2784 wrote to memory of 1216	2784	userinit.exe	45
PID 2784 wrote to memory of 1216	2784	userinit.exe	45
PID 2784 wrote to memory of 1216	2784	userinit.exe	45
PID 2784 wrote to memory of 1216	2784	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eec674b56f65dac447d1d29030ffdeef_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
284KB

MD5
eec674b56f65dac447d1d29030ffdeef

SHA1
b2fbc0defef8d4dac82276ea6e26c51a3be419a0

SHA256
61770d77a7db2f20d24636cb65ce4a731721457b3d6732edd53a7e1ba904c797

SHA512
33ddfff215b66d6b8007edcf3507f0378700fcd6eb82de2cee7af043f4a526ac55a52a966df36364befc6d203dbc174e16889f925df62c10b52d929d1fa68d67

Download Submit
memory/408-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/832-229-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/948-218-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/992-372-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1216-186-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1280-175-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1344-207-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1360-90-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1416-357-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1644-524-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1732-154-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1812-259-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1956-718-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2028-435-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2060-829-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2140-404-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2160-388-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2164-420-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2372-12-0x0000000000370000-0x00000000003B7000-memory.dmp

Filesize
284KB

Download
memory/2372-11-0x0000000000370000-0x00000000003B7000-memory.dmp

Filesize
284KB

Download
memory/2372-19-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2372-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2496-68-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2552-35-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2584-122-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2596-57-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2660-46-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2760-321-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2784-481-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-505-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-309-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-940-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-300-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-384-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-264-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-393-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-30-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-409-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-255-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-247-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-991-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-992-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-463-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-948-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-472-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-480-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-811-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-496-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-504-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-883-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-520-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-14-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2784-536-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-558-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-566-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-588-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-603-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-611-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-619-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-655-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-670-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-678-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-803-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2784-723-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-731-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2784-760-0x00000000023F0000-0x0000000002437000-memory.dmp

Filesize
284KB

Download
memory/2800-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2804-313-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2856-133-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2864-689-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2908-111-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2956-458-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2988-467-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3052-443-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download