f908292a20405e060595e9a0447e897b04d2da21b4dd1b9878322463439e9b09

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe
Size

244KB
MD5

ff2c87c458cecdf0ff84ed2cc6f01fe9
SHA1

fe5191103e09af59fbf8a001911d227f067b0c4e
SHA256

f908292a20405e060595e9a0447e897b04d2da21b4dd1b9878322463439e9b09
SHA512

57d6324af7cb162f7624742c8b2ae9ea5f85582f9420034f105a28f3b5d2135d574192ce01607cb55bc68a82fed86e9a201b560a2f701df0236c0a6fad4ad7fc
SSDEEP

3072:fn1zwLyYuAXyeaTFbkEg1Qp1o1zwLvKAP3G9:fn1zNWUZbkFQp1o1zmPa

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2840	userinit.exe
2676	system.exe
2592	system.exe
2760	system.exe
700	system.exe
580	system.exe
1712	system.exe
856	system.exe
2928	system.exe
2984	system.exe
2804	system.exe
876	system.exe
1596	system.exe
2468	system.exe
2208	system.exe
2276	system.exe
1468	system.exe
440	system.exe
1644	system.exe
1356	system.exe
1768	system.exe
1672	system.exe
1708	system.exe
1048	system.exe
1932	system.exe
888	system.exe
2524	system.exe
2852	system.exe
2708	system.exe
2868	system.exe
2764	system.exe
2600	system.exe
1784	system.exe
984	system.exe
2916	system.exe
1728	system.exe
2344	system.exe
1848	system.exe
1688	system.exe
2948	system.exe
2576	system.exe
3004	system.exe
2328	system.exe
3052	system.exe
1516	system.exe
3056	system.exe
2260	system.exe
1528	system.exe
1592	system.exe
2548	system.exe
2012	system.exe
2436	system.exe
2552	system.exe
1936	system.exe
760	system.exe
1372	system.exe
564	system.exe
2180	system.exe
2520	system.exe
1744	system.exe
2408	system.exe
1568	system.exe
2848	system.exe
2752	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe
2840	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe
2840	userinit.exe
2840	userinit.exe
2676	system.exe
2840	userinit.exe
2592	system.exe
2840	userinit.exe
2760	system.exe
2840	userinit.exe
700	system.exe
2840	userinit.exe
580	system.exe
2840	userinit.exe
1712	system.exe
2840	userinit.exe
856	system.exe
2840	userinit.exe
2928	system.exe
2840	userinit.exe
2984	system.exe
2840	userinit.exe
2804	system.exe
2840	userinit.exe
876	system.exe
2840	userinit.exe
1596	system.exe
2840	userinit.exe
2468	system.exe
2840	userinit.exe
2208	system.exe
2840	userinit.exe
2276	system.exe
2840	userinit.exe
1468	system.exe
2840	userinit.exe
440	system.exe
2840	userinit.exe
1644	system.exe
2840	userinit.exe
1356	system.exe
2840	userinit.exe
1768	system.exe
2840	userinit.exe
1672	system.exe
2840	userinit.exe
1708	system.exe
2840	userinit.exe
1048	system.exe
2840	userinit.exe
1932	system.exe
2840	userinit.exe
888	system.exe
2840	userinit.exe
2840	userinit.exe
2852	system.exe
2840	userinit.exe
2708	system.exe
2840	userinit.exe
2868	system.exe
2840	userinit.exe
2764	system.exe
2840	userinit.exe
2600	system.exe
2840	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2736	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe
2736	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe
2840	userinit.exe
2840	userinit.exe
2676	system.exe
2676	system.exe
2592	system.exe
2592	system.exe
2760	system.exe
2760	system.exe
700	system.exe
700	system.exe
580	system.exe
580	system.exe
1712	system.exe
1712	system.exe
856	system.exe
856	system.exe
2928	system.exe
2928	system.exe
2984	system.exe
2984	system.exe
2804	system.exe
2804	system.exe
876	system.exe
876	system.exe
1596	system.exe
1596	system.exe
2468	system.exe
2468	system.exe
2208	system.exe
2208	system.exe
2276	system.exe
2276	system.exe
1468	system.exe
1468	system.exe
440	system.exe
440	system.exe
1644	system.exe
1644	system.exe
1356	system.exe
1356	system.exe
1768	system.exe
1768	system.exe
1672	system.exe
1672	system.exe
1708	system.exe
1708	system.exe
1048	system.exe
1048	system.exe
1932	system.exe
1932	system.exe
888	system.exe
888	system.exe
2852	system.exe
2852	system.exe
2708	system.exe
2708	system.exe
2868	system.exe
2868	system.exe
2764	system.exe
2764	system.exe
2600	system.exe
2600	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2840	2736	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2840	2736	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2840	2736	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2840	2736	ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2676	2840	userinit.exe	31
PID 2840 wrote to memory of 2676	2840	userinit.exe	31
PID 2840 wrote to memory of 2676	2840	userinit.exe	31
PID 2840 wrote to memory of 2676	2840	userinit.exe	31
PID 2840 wrote to memory of 2592	2840	userinit.exe	32
PID 2840 wrote to memory of 2592	2840	userinit.exe	32
PID 2840 wrote to memory of 2592	2840	userinit.exe	32
PID 2840 wrote to memory of 2592	2840	userinit.exe	32
PID 2840 wrote to memory of 2760	2840	userinit.exe	33
PID 2840 wrote to memory of 2760	2840	userinit.exe	33
PID 2840 wrote to memory of 2760	2840	userinit.exe	33
PID 2840 wrote to memory of 2760	2840	userinit.exe	33
PID 2840 wrote to memory of 700	2840	userinit.exe	34
PID 2840 wrote to memory of 700	2840	userinit.exe	34
PID 2840 wrote to memory of 700	2840	userinit.exe	34
PID 2840 wrote to memory of 700	2840	userinit.exe	34
PID 2840 wrote to memory of 580	2840	userinit.exe	35
PID 2840 wrote to memory of 580	2840	userinit.exe	35
PID 2840 wrote to memory of 580	2840	userinit.exe	35
PID 2840 wrote to memory of 580	2840	userinit.exe	35
PID 2840 wrote to memory of 1712	2840	userinit.exe	36
PID 2840 wrote to memory of 1712	2840	userinit.exe	36
PID 2840 wrote to memory of 1712	2840	userinit.exe	36
PID 2840 wrote to memory of 1712	2840	userinit.exe	36
PID 2840 wrote to memory of 856	2840	userinit.exe	37
PID 2840 wrote to memory of 856	2840	userinit.exe	37
PID 2840 wrote to memory of 856	2840	userinit.exe	37
PID 2840 wrote to memory of 856	2840	userinit.exe	37
PID 2840 wrote to memory of 2928	2840	userinit.exe	38
PID 2840 wrote to memory of 2928	2840	userinit.exe	38
PID 2840 wrote to memory of 2928	2840	userinit.exe	38
PID 2840 wrote to memory of 2928	2840	userinit.exe	38
PID 2840 wrote to memory of 2984	2840	userinit.exe	39
PID 2840 wrote to memory of 2984	2840	userinit.exe	39
PID 2840 wrote to memory of 2984	2840	userinit.exe	39
PID 2840 wrote to memory of 2984	2840	userinit.exe	39
PID 2840 wrote to memory of 2804	2840	userinit.exe	40
PID 2840 wrote to memory of 2804	2840	userinit.exe	40
PID 2840 wrote to memory of 2804	2840	userinit.exe	40
PID 2840 wrote to memory of 2804	2840	userinit.exe	40
PID 2840 wrote to memory of 876	2840	userinit.exe	41
PID 2840 wrote to memory of 876	2840	userinit.exe	41
PID 2840 wrote to memory of 876	2840	userinit.exe	41
PID 2840 wrote to memory of 876	2840	userinit.exe	41
PID 2840 wrote to memory of 1596	2840	userinit.exe	42
PID 2840 wrote to memory of 1596	2840	userinit.exe	42
PID 2840 wrote to memory of 1596	2840	userinit.exe	42
PID 2840 wrote to memory of 1596	2840	userinit.exe	42
PID 2840 wrote to memory of 2468	2840	userinit.exe	43
PID 2840 wrote to memory of 2468	2840	userinit.exe	43
PID 2840 wrote to memory of 2468	2840	userinit.exe	43
PID 2840 wrote to memory of 2468	2840	userinit.exe	43
PID 2840 wrote to memory of 2208	2840	userinit.exe	44
PID 2840 wrote to memory of 2208	2840	userinit.exe	44
PID 2840 wrote to memory of 2208	2840	userinit.exe	44
PID 2840 wrote to memory of 2208	2840	userinit.exe	44
PID 2840 wrote to memory of 2276	2840	userinit.exe	45
PID 2840 wrote to memory of 2276	2840	userinit.exe	45
PID 2840 wrote to memory of 2276	2840	userinit.exe	45
PID 2840 wrote to memory of 2276	2840	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff2c87c458cecdf0ff84ed2cc6f01fe9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
244KB

MD5
ff2c87c458cecdf0ff84ed2cc6f01fe9

SHA1
fe5191103e09af59fbf8a001911d227f067b0c4e

SHA256
f908292a20405e060595e9a0447e897b04d2da21b4dd1b9878322463439e9b09

SHA512
57d6324af7cb162f7624742c8b2ae9ea5f85582f9420034f105a28f3b5d2135d574192ce01607cb55bc68a82fed86e9a201b560a2f701df0236c0a6fad4ad7fc

Download Submit
memory/580-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/700-66-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/856-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/876-147-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1080-739-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1356-230-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1468-199-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1528-451-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1592-459-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-253-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1708-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1712-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1712-91-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1728-362-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1768-242-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1932-277-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2108-730-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2276-188-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2316-610-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2408-550-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2436-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2476-686-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2524-291-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2592-43-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2676-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2736-12-0x0000000002450000-0x000000000248D000-memory.dmp

Filesize
244KB

Download
memory/2736-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2736-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2752-574-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2760-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2764-869-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2764-321-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2804-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-424-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-630-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-350-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-1114-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-334-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-423-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-326-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-439-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-447-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-1106-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-258-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-471-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-472-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-480-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-249-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-496-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-511-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-238-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-562-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-1042-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-1013-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-98-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-622-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-342-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-652-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-653-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-668-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-99-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-712-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-73-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-735-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-74-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-779-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-788-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-858-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-50-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-881-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-889-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-932-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-947-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-955-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2840-963-0x0000000001C10000-0x0000000001C4D000-memory.dmp

Filesize
244KB

Download
memory/2848-566-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2868-313-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2916-354-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2928-115-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download