kinsing | 7c5c006db31b7ce5d3af6159b506f74561cac991509193260758d8a8b4cf3698

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

751876e58b7759ba784cea81b9864392.exe
Size

825KB
MD5

751876e58b7759ba784cea81b9864392
SHA1

498709011d7012bc15a08137fe74b0808993ef24
SHA256

7c5c006db31b7ce5d3af6159b506f74561cac991509193260758d8a8b4cf3698
SHA512

42c7f03184b51557d45110b12c25fbd061c2a3d01fd7f8888a968a0674b158348e7534e93dbaea3a3d794a1151ad2321542f6ad2575291f4a34e3c916e2f0b6b
SSDEEP

24576:/vehv7elIJnI2+Hp121D51FI7dguPUWTXRf8zUXt6I:/kvSlIKXHp121DTFIyuPU0fR

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

userinit.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

Processes:

userinit.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid	Process
644	userinit.exe
3172	system.exe
2508	system.exe
5056	system.exe
3960	system.exe
4572	system.exe
1208	system.exe
836	system.exe
3992	system.exe
3272	system.exe
3988	system.exe
2820	system.exe
1032	system.exe
3636	system.exe
3632	system.exe
1016	system.exe
5000	system.exe
1688	system.exe
320	system.exe
1348	system.exe
4132	system.exe
536	system.exe
1228	system.exe
3448	system.exe
4788	system.exe
1236	system.exe
2388	system.exe
1084	system.exe
224	system.exe
4720	system.exe
4392	system.exe
4612	system.exe
2800	system.exe
864	system.exe
1924	system.exe
2696	system.exe
772	system.exe
1128	system.exe
3196	system.exe
4336	system.exe
3488	system.exe
2504	system.exe
2128	system.exe
4680	system.exe
1196	system.exe
4400	system.exe
3520	system.exe
1688	system.exe
4628	system.exe
1512	system.exe
4964	system.exe
1020	system.exe
1940	system.exe
3408	system.exe
228	system.exe
3208	system.exe
4712	system.exe
4616	system.exe
4256	system.exe
4704	system.exe
4320	system.exe
3472	system.exe
3492	system.exe
396	system.exe

Drops file in System32 directory 2 IoCs

Processes:

userinit.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

Processes:

751876e58b7759ba784cea81b9864392.exeuserinit.exe

description	ioc	Process
File created	C:\Windows\userinit.exe	751876e58b7759ba784cea81b9864392.exe
File opened for modification	C:\Windows\userinit.exe	751876e58b7759ba784cea81b9864392.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

751876e58b7759ba784cea81b9864392.exeuserinit.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid	Process
4512	751876e58b7759ba784cea81b9864392.exe
4512	751876e58b7759ba784cea81b9864392.exe
644	userinit.exe
644	userinit.exe
644	userinit.exe
644	userinit.exe
3172	system.exe
3172	system.exe
644	userinit.exe
644	userinit.exe
2508	system.exe
2508	system.exe
644	userinit.exe
644	userinit.exe
5056	system.exe
5056	system.exe
644	userinit.exe
644	userinit.exe
3960	system.exe
3960	system.exe
644	userinit.exe
644	userinit.exe
4572	system.exe
4572	system.exe
644	userinit.exe
644	userinit.exe
1208	system.exe
1208	system.exe
644	userinit.exe
644	userinit.exe
836	system.exe
836	system.exe
644	userinit.exe
644	userinit.exe
3992	system.exe
3992	system.exe
644	userinit.exe
644	userinit.exe
3272	system.exe
3272	system.exe
644	userinit.exe
644	userinit.exe
3988	system.exe
3988	system.exe
644	userinit.exe
644	userinit.exe
2820	system.exe
2820	system.exe
644	userinit.exe
644	userinit.exe
1032	system.exe
1032	system.exe
644	userinit.exe
644	userinit.exe
3636	system.exe
3636	system.exe
644	userinit.exe
644	userinit.exe
3632	system.exe
3632	system.exe
644	userinit.exe
644	userinit.exe
1016	system.exe
1016	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

userinit.exe

pid	Process
644	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

751876e58b7759ba784cea81b9864392.exeuserinit.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid	Process
4512	751876e58b7759ba784cea81b9864392.exe
4512	751876e58b7759ba784cea81b9864392.exe
644	userinit.exe
644	userinit.exe
3172	system.exe
3172	system.exe
2508	system.exe
2508	system.exe
5056	system.exe
5056	system.exe
3960	system.exe
3960	system.exe
4572	system.exe
4572	system.exe
1208	system.exe
1208	system.exe
836	system.exe
836	system.exe
3992	system.exe
3992	system.exe
3272	system.exe
3272	system.exe
3988	system.exe
3988	system.exe
2820	system.exe
2820	system.exe
1032	system.exe
1032	system.exe
3636	system.exe
3636	system.exe
3632	system.exe
3632	system.exe
1016	system.exe
1016	system.exe
5000	system.exe
5000	system.exe
1688	system.exe
1688	system.exe
320	system.exe
320	system.exe
1348	system.exe
1348	system.exe
4132	system.exe
4132	system.exe
536	system.exe
536	system.exe
1228	system.exe
1228	system.exe
3448	system.exe
3448	system.exe
4788	system.exe
4788	system.exe
1236	system.exe
1236	system.exe
2388	system.exe
2388	system.exe
1084	system.exe
1084	system.exe
224	system.exe
224	system.exe
4720	system.exe
4720	system.exe
4392	system.exe
4392	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

751876e58b7759ba784cea81b9864392.exeuserinit.exe

description	pid	Process	procid_target
PID 4512 wrote to memory of 644	4512	751876e58b7759ba784cea81b9864392.exe	87
PID 4512 wrote to memory of 644	4512	751876e58b7759ba784cea81b9864392.exe	87
PID 4512 wrote to memory of 644	4512	751876e58b7759ba784cea81b9864392.exe	87
PID 644 wrote to memory of 3172	644	userinit.exe	90
PID 644 wrote to memory of 3172	644	userinit.exe	90
PID 644 wrote to memory of 3172	644	userinit.exe	90
PID 644 wrote to memory of 2508	644	userinit.exe	92
PID 644 wrote to memory of 2508	644	userinit.exe	92
PID 644 wrote to memory of 2508	644	userinit.exe	92
PID 644 wrote to memory of 5056	644	userinit.exe	95
PID 644 wrote to memory of 5056	644	userinit.exe	95
PID 644 wrote to memory of 5056	644	userinit.exe	95
PID 644 wrote to memory of 3960	644	userinit.exe	98
PID 644 wrote to memory of 3960	644	userinit.exe	98
PID 644 wrote to memory of 3960	644	userinit.exe	98
PID 644 wrote to memory of 4572	644	userinit.exe	99
PID 644 wrote to memory of 4572	644	userinit.exe	99
PID 644 wrote to memory of 4572	644	userinit.exe	99
PID 644 wrote to memory of 1208	644	userinit.exe	101
PID 644 wrote to memory of 1208	644	userinit.exe	101
PID 644 wrote to memory of 1208	644	userinit.exe	101
PID 644 wrote to memory of 836	644	userinit.exe	102
PID 644 wrote to memory of 836	644	userinit.exe	102
PID 644 wrote to memory of 836	644	userinit.exe	102
PID 644 wrote to memory of 3992	644	userinit.exe	103
PID 644 wrote to memory of 3992	644	userinit.exe	103
PID 644 wrote to memory of 3992	644	userinit.exe	103
PID 644 wrote to memory of 3272	644	userinit.exe	106
PID 644 wrote to memory of 3272	644	userinit.exe	106
PID 644 wrote to memory of 3272	644	userinit.exe	106
PID 644 wrote to memory of 3988	644	userinit.exe	107
PID 644 wrote to memory of 3988	644	userinit.exe	107
PID 644 wrote to memory of 3988	644	userinit.exe	107
PID 644 wrote to memory of 2820	644	userinit.exe	108
PID 644 wrote to memory of 2820	644	userinit.exe	108
PID 644 wrote to memory of 2820	644	userinit.exe	108
PID 644 wrote to memory of 1032	644	userinit.exe	109
PID 644 wrote to memory of 1032	644	userinit.exe	109
PID 644 wrote to memory of 1032	644	userinit.exe	109
PID 644 wrote to memory of 3636	644	userinit.exe	110
PID 644 wrote to memory of 3636	644	userinit.exe	110
PID 644 wrote to memory of 3636	644	userinit.exe	110
PID 644 wrote to memory of 3632	644	userinit.exe	111
PID 644 wrote to memory of 3632	644	userinit.exe	111
PID 644 wrote to memory of 3632	644	userinit.exe	111
PID 644 wrote to memory of 1016	644	userinit.exe	112
PID 644 wrote to memory of 1016	644	userinit.exe	112
PID 644 wrote to memory of 1016	644	userinit.exe	112
PID 644 wrote to memory of 5000	644	userinit.exe	113
PID 644 wrote to memory of 5000	644	userinit.exe	113
PID 644 wrote to memory of 5000	644	userinit.exe	113
PID 644 wrote to memory of 1688	644	userinit.exe	114
PID 644 wrote to memory of 1688	644	userinit.exe	114
PID 644 wrote to memory of 1688	644	userinit.exe	114
PID 644 wrote to memory of 320	644	userinit.exe	115
PID 644 wrote to memory of 320	644	userinit.exe	115
PID 644 wrote to memory of 320	644	userinit.exe	115
PID 644 wrote to memory of 1348	644	userinit.exe	116
PID 644 wrote to memory of 1348	644	userinit.exe	116
PID 644 wrote to memory of 1348	644	userinit.exe	116
PID 644 wrote to memory of 4132	644	userinit.exe	117
PID 644 wrote to memory of 4132	644	userinit.exe	117
PID 644 wrote to memory of 4132	644	userinit.exe	117
PID 644 wrote to memory of 536	644	userinit.exe	118

C:\Users\Admin\AppData\Local\Temp\751876e58b7759ba784cea81b9864392.exe
"C:\Users\Admin\AppData\Local\Temp\751876e58b7759ba784cea81b9864392.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
709KB

MD5
ee2cabfd3ebc14e76a9266f173573e8e

SHA1
b4d9da93033e6361379a42a402afe105f12531a6

SHA256
8b9764736816f95530e65e1f11cb1bd23794c42b765bc08fdedce38033ec2cc9

SHA512
43201342095c10f23c0476eef11da50afd6cb8441fce401ae6bb4f777583219855a520a1dee7e43aee1d7d9102f04f2f5f90523fb7d53ecfcc9e09b84f0d3306

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
686KB

MD5
d210f7f52cc549f968f4378fe48bb47c

SHA1
375d4ad989bb85324a9ae0e78c966518815be167

SHA256
42d02a7428750a62efc7fae4d98ee2176442c714a2909890ed2dfc5e0f0df555

SHA512
50c98e30b7f79a9a16bc3e4b627cd033a70c2e5efe68292dc8f2c8657dd24ef004f78e2bef4ef1ae2eef73f9496b7a67846a4a584ce4af74927ec792311a05ae

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
146KB

MD5
7d6468851622dca2fb8a29f080036ce9

SHA1
af20c1c56ecc64c4ff5289594ca6c9bfb12c8236

SHA256
7ef7ad89efb5ff37c106c16eb1c90e52812d3cd6a6798a4bffd3bcd75ebbdf9f

SHA512
d482a7bfeac346a0157dc3811aedb6157664fe7a36eb661bcae18798cfcd9b8edcb41c8f625a30641521390a31f52e0ffab9b586b9b618b5bcf4dd7641a174f6

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
704KB

MD5
1903308c47e9c46cf6d864cf9cb005c2

SHA1
92c1b2c34b81c57ee0fecf7e0f6e5d03a93bef2c

SHA256
2a008f56209519372daa898caa63bd1e29cebc085279da4d687c1cde0e4cd2af

SHA512
f244399fcdc890c782acf459c11585094ad7a8320898f61f2c282a8aeb90cf6ba19922580f8d9b1b1eecbbf87cbcad5bf385d6f202359b13b24d750b0167f700

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
563KB

MD5
2f5fa5fa38e82e0ae22eb697b9e4a388

SHA1
df0cc95013988a1090085b8578bfc63e3df42fdf

SHA256
66d35b17e958a9db7186b0cc188d0b9bd276527f4acfb7d6f7f8a0d489af2f34

SHA512
c0a5e62c28b00406ec1528d1be04af2b165e3381c3230a977ed25f6943890c38b0074da2c36290fdb05c7c9ee59409def52ab5b332dac099987f4c839b40a544

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
287KB

MD5
f2dcd218d29a4a4a1b0b92a84a2cb2ba

SHA1
028799b5e3629f0805515e4896b200365adb3c59

SHA256
7c9dfa354e7405987d35f26047a6959f60d1001c4ed4d68e4352bf8174dcb321

SHA512
e18563986dfa8ab86c91ab7ef38c6f85614d4d67a628d48c19117766bf596c594d375c22b29aa58ff4f3ad52ac44ae34af57b73a63e6912e4332a6fe732ee3ce

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
65KB

MD5
40ce826294353f3067f279ec3dc575d2

SHA1
108affaab80c95e6433292b314edcfd90ee368d2

SHA256
6ec9be0d5614b3bbba8d0b24f0b61a8cf7bc667498541993664198c45d09a98a

SHA512
3eff6346ef457dc8c1c0b14a3e29e5ae817d47190b2f1ad719a55aaf0dbf9989069c31715a351569fc1780815a2d2fb3076253e8f23d2b3c4f223abaab20cc81

Download Submit
C:\Windows\userinit.exe

Filesize
825KB

MD5
751876e58b7759ba784cea81b9864392

SHA1
498709011d7012bc15a08137fe74b0808993ef24

SHA256
7c5c006db31b7ce5d3af6159b506f74561cac991509193260758d8a8b4cf3698

SHA512
42c7f03184b51557d45110b12c25fbd061c2a3d01fd7f8888a968a0674b158348e7534e93dbaea3a3d794a1151ad2321542f6ad2575291f4a34e3c916e2f0b6b

Download Submit
memory/212-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-180-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/228-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-368-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/536-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-11-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/644-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-62-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/836-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-114-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1020-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-92-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1052-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-56-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1208-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-132-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1372-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-31-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2696-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-451-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2868-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-26-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3196-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-235-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3208-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-73-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3408-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-362-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3512-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-104-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3632-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-102-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3636-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-44-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3988-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-81-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3992-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-138-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4132-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-401-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4332-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-395-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4336-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-195-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4392-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-17-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4512-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4572-52-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4572-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-288-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4680-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-462-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4944-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-38-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/5056-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download