4f995d48ca95db9bb7e6a93137b4ffe9bf760c0c381dfd2233ea15d192f3a879

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35eb5f5748613dcfd3511c7dad954ff4.exe
Size

130KB
MD5

35eb5f5748613dcfd3511c7dad954ff4
SHA1

9e30c1911c6f79629862fb9ba12d4127e389d97d
SHA256

4f995d48ca95db9bb7e6a93137b4ffe9bf760c0c381dfd2233ea15d192f3a879
SHA512

de1ccc259420fd8a436254a018fd2258341d51a86763e34510a602be7615b87ed8ae77cded9f8081f32ac2bb9e14914afb9cc288a195eba66643e8bb592eaf43
SSDEEP

768:zaCaB044YAHIiSkrzzx0iDTOtMxZI5C8w/f1zBmQjTGfm5yq6zU:WC0OMcamTaWf1zwQl5v6I

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
1560	userinit.exe
3652	system.exe
4220	system.exe
4664	system.exe
4744	system.exe
3508	system.exe
1276	system.exe
1660	system.exe
4868	system.exe
3068	system.exe
3220	system.exe
4328	system.exe
4116	system.exe
4272	system.exe
3188	system.exe
3152	system.exe
4304	system.exe
1144	system.exe
220	system.exe
4252	system.exe
4020	system.exe
1908	system.exe
4704	system.exe
4552	system.exe
2132	system.exe
428	system.exe
2796	system.exe
2456	system.exe
2212	system.exe
4724	system.exe
3264	system.exe
1740	system.exe
4136	system.exe
1892	system.exe
3608	system.exe
4200	system.exe
1708	system.exe
3188	system.exe
2812	system.exe
4300	system.exe
1996	system.exe
4776	system.exe
4704	system.exe
2184	system.exe
2120	system.exe
1900	system.exe
4372	system.exe
5020	system.exe
3004	system.exe
1780	system.exe
4856	system.exe
2076	system.exe
1008	system.exe
4864	system.exe
2628	system.exe
1700	system.exe
4228	system.exe
3116	system.exe
1924	system.exe
2548	system.exe
3412	system.exe
3188	system.exe
1464	system.exe
1060	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	35eb5f5748613dcfd3511c7dad954ff4.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	35eb5f5748613dcfd3511c7dad954ff4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3468	35eb5f5748613dcfd3511c7dad954ff4.exe
3468	35eb5f5748613dcfd3511c7dad954ff4.exe
1560	userinit.exe
1560	userinit.exe
1560	userinit.exe
1560	userinit.exe
3652	system.exe
3652	system.exe
1560	userinit.exe
1560	userinit.exe
4220	system.exe
4220	system.exe
1560	userinit.exe
1560	userinit.exe
4664	system.exe
4664	system.exe
1560	userinit.exe
1560	userinit.exe
4744	system.exe
4744	system.exe
1560	userinit.exe
1560	userinit.exe
3508	system.exe
3508	system.exe
1560	userinit.exe
1560	userinit.exe
1276	system.exe
1276	system.exe
1560	userinit.exe
1560	userinit.exe
1660	system.exe
1660	system.exe
1560	userinit.exe
1560	userinit.exe
4868	system.exe
4868	system.exe
1560	userinit.exe
1560	userinit.exe
3068	system.exe
3068	system.exe
1560	userinit.exe
1560	userinit.exe
3220	system.exe
3220	system.exe
1560	userinit.exe
1560	userinit.exe
4328	system.exe
4328	system.exe
1560	userinit.exe
1560	userinit.exe
4116	system.exe
4116	system.exe
1560	userinit.exe
1560	userinit.exe
4272	system.exe
4272	system.exe
1560	userinit.exe
1560	userinit.exe
3188	system.exe
3188	system.exe
1560	userinit.exe
1560	userinit.exe
3152	system.exe
3152	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1560	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3468	35eb5f5748613dcfd3511c7dad954ff4.exe
3468	35eb5f5748613dcfd3511c7dad954ff4.exe
1560	userinit.exe
1560	userinit.exe
3652	system.exe
3652	system.exe
4220	system.exe
4220	system.exe
4664	system.exe
4664	system.exe
4744	system.exe
4744	system.exe
3508	system.exe
3508	system.exe
1276	system.exe
1276	system.exe
1660	system.exe
1660	system.exe
4868	system.exe
4868	system.exe
3068	system.exe
3068	system.exe
3220	system.exe
3220	system.exe
4328	system.exe
4328	system.exe
4116	system.exe
4116	system.exe
4272	system.exe
4272	system.exe
3188	system.exe
3188	system.exe
3152	system.exe
3152	system.exe
4304	system.exe
4304	system.exe
1144	system.exe
1144	system.exe
220	system.exe
220	system.exe
4252	system.exe
4252	system.exe
4020	system.exe
4020	system.exe
1908	system.exe
1908	system.exe
4704	system.exe
4704	system.exe
4552	system.exe
4552	system.exe
2132	system.exe
2132	system.exe
428	system.exe
428	system.exe
2796	system.exe
2796	system.exe
2456	system.exe
2456	system.exe
2212	system.exe
2212	system.exe
4724	system.exe
4724	system.exe
3264	system.exe
3264	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1560	3468	35eb5f5748613dcfd3511c7dad954ff4.exe	88
PID 3468 wrote to memory of 1560	3468	35eb5f5748613dcfd3511c7dad954ff4.exe	88
PID 3468 wrote to memory of 1560	3468	35eb5f5748613dcfd3511c7dad954ff4.exe	88
PID 1560 wrote to memory of 3652	1560	userinit.exe	92
PID 1560 wrote to memory of 3652	1560	userinit.exe	92
PID 1560 wrote to memory of 3652	1560	userinit.exe	92
PID 1560 wrote to memory of 4220	1560	userinit.exe	93
PID 1560 wrote to memory of 4220	1560	userinit.exe	93
PID 1560 wrote to memory of 4220	1560	userinit.exe	93
PID 1560 wrote to memory of 4664	1560	userinit.exe	94
PID 1560 wrote to memory of 4664	1560	userinit.exe	94
PID 1560 wrote to memory of 4664	1560	userinit.exe	94
PID 1560 wrote to memory of 4744	1560	userinit.exe	173
PID 1560 wrote to memory of 4744	1560	userinit.exe	173
PID 1560 wrote to memory of 4744	1560	userinit.exe	173
PID 1560 wrote to memory of 3508	1560	userinit.exe	96
PID 1560 wrote to memory of 3508	1560	userinit.exe	96
PID 1560 wrote to memory of 3508	1560	userinit.exe	96
PID 1560 wrote to memory of 1276	1560	userinit.exe	175
PID 1560 wrote to memory of 1276	1560	userinit.exe	175
PID 1560 wrote to memory of 1276	1560	userinit.exe	175
PID 1560 wrote to memory of 1660	1560	userinit.exe	98
PID 1560 wrote to memory of 1660	1560	userinit.exe	98
PID 1560 wrote to memory of 1660	1560	userinit.exe	98
PID 1560 wrote to memory of 4868	1560	userinit.exe	101
PID 1560 wrote to memory of 4868	1560	userinit.exe	101
PID 1560 wrote to memory of 4868	1560	userinit.exe	101
PID 1560 wrote to memory of 3068	1560	userinit.exe	103
PID 1560 wrote to memory of 3068	1560	userinit.exe	103
PID 1560 wrote to memory of 3068	1560	userinit.exe	103
PID 1560 wrote to memory of 3220	1560	userinit.exe	105
PID 1560 wrote to memory of 3220	1560	userinit.exe	105
PID 1560 wrote to memory of 3220	1560	userinit.exe	105
PID 1560 wrote to memory of 4328	1560	userinit.exe	106
PID 1560 wrote to memory of 4328	1560	userinit.exe	106
PID 1560 wrote to memory of 4328	1560	userinit.exe	106
PID 1560 wrote to memory of 4116	1560	userinit.exe	108
PID 1560 wrote to memory of 4116	1560	userinit.exe	108
PID 1560 wrote to memory of 4116	1560	userinit.exe	108
PID 1560 wrote to memory of 4272	1560	userinit.exe	109
PID 1560 wrote to memory of 4272	1560	userinit.exe	109
PID 1560 wrote to memory of 4272	1560	userinit.exe	109
PID 1560 wrote to memory of 3188	1560	userinit.exe	224
PID 1560 wrote to memory of 3188	1560	userinit.exe	224
PID 1560 wrote to memory of 3188	1560	userinit.exe	224
PID 1560 wrote to memory of 3152	1560	userinit.exe	112
PID 1560 wrote to memory of 3152	1560	userinit.exe	112
PID 1560 wrote to memory of 3152	1560	userinit.exe	112
PID 1560 wrote to memory of 4304	1560	userinit.exe	113
PID 1560 wrote to memory of 4304	1560	userinit.exe	113
PID 1560 wrote to memory of 4304	1560	userinit.exe	113
PID 1560 wrote to memory of 1144	1560	userinit.exe	114
PID 1560 wrote to memory of 1144	1560	userinit.exe	114
PID 1560 wrote to memory of 1144	1560	userinit.exe	114
PID 1560 wrote to memory of 220	1560	userinit.exe	116
PID 1560 wrote to memory of 220	1560	userinit.exe	116
PID 1560 wrote to memory of 220	1560	userinit.exe	116
PID 1560 wrote to memory of 4252	1560	userinit.exe	117
PID 1560 wrote to memory of 4252	1560	userinit.exe	117
PID 1560 wrote to memory of 4252	1560	userinit.exe	117
PID 1560 wrote to memory of 4020	1560	userinit.exe	118
PID 1560 wrote to memory of 4020	1560	userinit.exe	118
PID 1560 wrote to memory of 4020	1560	userinit.exe	118
PID 1560 wrote to memory of 1908	1560	userinit.exe	119

C:\Users\Admin\AppData\Local\Temp\35eb5f5748613dcfd3511c7dad954ff4.exe
"C:\Users\Admin\AppData\Local\Temp\35eb5f5748613dcfd3511c7dad954ff4.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
98KB

MD5
47d02c07f4e1b1278848df9f196e0882

SHA1
afc33d490e5ef4456d3000a1cd093642dd8b9618

SHA256
497a49dc372704ae78d74dd89e0e2a0574b082d633a775913ede5fc84dccf6ca

SHA512
01df7ab56c9e6ebc0645c4b26cb18dc118d78ce343026f0e32e3bf96589f5bb511d07db50a6b6f7c9454b16de38282a9b4206b683262127cd091921c83762b20

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
92KB

MD5
da5ca9cec95ab3948c02a1fbdf8837e3

SHA1
d944aa308b9e471c279b4b7a5532634f38ebee9b

SHA256
58716bac3b21e4bf00d90067c7ad66b8050b2c79eb66e0f168f98c70d6e16010

SHA512
07acda9ed5438d3a3b92c593521839eb9b56693d114c57dca8eccf2247c492448d7bd441c978310aa2fb138267db062829cf9bd7e3595c99434651e9be1d7a1a

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
95KB

MD5
3588a0874dd79e4d2bd7d9d8fe6c81c8

SHA1
d37acc09e8436ec0384966b647c93a4564548e58

SHA256
e4a91e0d1f781f12055a08ca1478c921ea254c83bcf2739c4a3838ecc98a91da

SHA512
23d90cfa1d20bf1cf8095a72f31a2304648a505c449426530c56f5c582b7cc5e45d7cf708ac9030ed70e530d147560ae4b0159af2181e4fb3771cffbc21509a4

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
93KB

MD5
c9b84c3384059228077a959998fdb160

SHA1
f09bc1a9838aace557ea26214453153360b84d02

SHA256
b5cad730d42c6bbe1fc4e546534fe64598abccfcbb584487f255d74fe431f395

SHA512
0c50c2e31680d841a23c15629c4cf43c3da3ca877c6611e1b32e18990daf074c33d5530f0ed644979adb2c55693852646bedcc7b90f6eeb239aca12d0f308cde

Download Submit
C:\Windows\userinit.exe

Filesize
130KB

MD5
35eb5f5748613dcfd3511c7dad954ff4

SHA1
9e30c1911c6f79629862fb9ba12d4127e389d97d

SHA256
4f995d48ca95db9bb7e6a93137b4ffe9bf760c0c381dfd2233ea15d192f3a879

SHA512
de1ccc259420fd8a436254a018fd2258341d51a86763e34510a602be7615b87ed8ae77cded9f8081f32ac2bb9e14914afb9cc288a195eba66643e8bb592eaf43

Download Submit
memory/220-131-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/392-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/428-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/796-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/824-475-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/968-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-457-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1008-311-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1056-391-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1060-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1144-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1252-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1464-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-12-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1560-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1660-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1740-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1744-480-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1744-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1780-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1892-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1900-276-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1908-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1924-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-250-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2088-402-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2120-271-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2212-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2292-463-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2292-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2456-182-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2456-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2456-177-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2548-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2548-349-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2628-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2796-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2796-171-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2812-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3004-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3004-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3068-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3068-74-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3068-79-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3116-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3152-114-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3188-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3188-105-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3188-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3188-234-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3220-81-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3220-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3264-195-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3264-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3412-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3412-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3468-18-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3468-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3468-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3468-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3476-469-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3476-464-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3508-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3508-51-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3608-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3652-27-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3652-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4020-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4020-143-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4116-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4136-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4200-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4220-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4220-32-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4220-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4228-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4252-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4252-133-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4272-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4272-98-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4300-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4304-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4304-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4308-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4328-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4372-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4372-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4376-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-155-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4576-381-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4664-43-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4664-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4664-39-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4664-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4704-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4708-451-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4724-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-46-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4744-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4776-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4864-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4868-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4868-67-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4956-474-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download