d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02a

Analysis

max time kernel
120s
max time network
15s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe
Size

1.3MB
MD5

e1731afa2b8650d308d1ddb2a18b8730
SHA1

294df903102cb2eeed4698b5d114a348cb3238db
SHA256

d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02a
SHA512

49b4ca85e2ef5d5ba7ad9946e1b1fc415477ca659b7f5bb6ed57059386e8141829fa0f11e111f31a92a6caa129ff88075439ea61a4d8426cbfa5561e3389378b
SSDEEP

1536:eXTSHQ+AWwXpPhttof1zwQVgv/qflVkSkwNegiYaZR:ejG4pPhLo1zwLv/2IfwNeginR

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
3028	userinit.exe
2800	system.exe
2868	system.exe
2612	system.exe
2956	system.exe
2540	system.exe
2436	system.exe
2348	system.exe
2128	system.exe
2104	system.exe
264	system.exe
2296	system.exe
3040	system.exe
2084	system.exe
2412	system.exe
756	system.exe
1036	system.exe
2996	system.exe
3000	system.exe
2404	system.exe
324	system.exe
1808	system.exe
2872	system.exe
2132	system.exe
2088	system.exe
2796	system.exe
2244	system.exe
2728	system.exe
2560	system.exe
2552	system.exe
2984	system.exe
1396	system.exe
2844	system.exe
2424	system.exe
3056	system.exe
2732	system.exe
2852	system.exe
2352	system.exe
1376	system.exe
540	system.exe
572	system.exe
2068	system.exe
1044	system.exe
2092	system.exe
3060	system.exe
1924	system.exe
1512	system.exe
1340	system.exe
3048	system.exe
2228	system.exe
1332	system.exe
1816	system.exe
1708	system.exe
2404	system.exe
580	system.exe
1948	system.exe
2276	system.exe
1712	system.exe
2764	system.exe
2704	system.exe
2820	system.exe
2244	system.exe
2788	system.exe
2588	system.exe

Loads dropped DLL 64 IoCs

pid	Process
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe
3028	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe
File opened for modification	C:\Windows\userinit.exe	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe
3028	userinit.exe
3028	userinit.exe
2800	system.exe
3028	userinit.exe
2868	system.exe
3028	userinit.exe
2612	system.exe
3028	userinit.exe
2956	system.exe
3028	userinit.exe
2540	system.exe
3028	userinit.exe
2436	system.exe
3028	userinit.exe
2348	system.exe
3028	userinit.exe
2128	system.exe
3028	userinit.exe
2104	system.exe
3028	userinit.exe
264	system.exe
3028	userinit.exe
2296	system.exe
3028	userinit.exe
3040	system.exe
3028	userinit.exe
2084	system.exe
3028	userinit.exe
2412	system.exe
3028	userinit.exe
756	system.exe
3028	userinit.exe
1036	system.exe
3028	userinit.exe
2996	system.exe
3028	userinit.exe
3000	system.exe
3028	userinit.exe
2404	system.exe
3028	userinit.exe
324	system.exe
3028	userinit.exe
1808	system.exe
3028	userinit.exe
2872	system.exe
3028	userinit.exe
2132	system.exe
3028	userinit.exe
2088	system.exe
3028	userinit.exe
2796	system.exe
3028	userinit.exe
2244	system.exe
3028	userinit.exe
2728	system.exe
3028	userinit.exe
2560	system.exe
3028	userinit.exe
2552	system.exe
3028	userinit.exe
2984	system.exe
3028	userinit.exe
1396	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3028	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2876	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe
2876	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe
3028	userinit.exe
3028	userinit.exe
2800	system.exe
2800	system.exe
2868	system.exe
2868	system.exe
2612	system.exe
2612	system.exe
2956	system.exe
2956	system.exe
2540	system.exe
2540	system.exe
2436	system.exe
2436	system.exe
2348	system.exe
2348	system.exe
2128	system.exe
2128	system.exe
2104	system.exe
2104	system.exe
264	system.exe
264	system.exe
2296	system.exe
2296	system.exe
3040	system.exe
3040	system.exe
2084	system.exe
2084	system.exe
2412	system.exe
2412	system.exe
756	system.exe
756	system.exe
1036	system.exe
1036	system.exe
2996	system.exe
2996	system.exe
3000	system.exe
3000	system.exe
2404	system.exe
2404	system.exe
324	system.exe
324	system.exe
1808	system.exe
1808	system.exe
2872	system.exe
2872	system.exe
2132	system.exe
2132	system.exe
2088	system.exe
2088	system.exe
2796	system.exe
2796	system.exe
2244	system.exe
2244	system.exe
2728	system.exe
2728	system.exe
2560	system.exe
2560	system.exe
2552	system.exe
2552	system.exe
2984	system.exe
2984	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3028	2876	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe	30
PID 2876 wrote to memory of 3028	2876	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe	30
PID 2876 wrote to memory of 3028	2876	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe	30
PID 2876 wrote to memory of 3028	2876	d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe	30
PID 3028 wrote to memory of 2800	3028	userinit.exe	31
PID 3028 wrote to memory of 2800	3028	userinit.exe	31
PID 3028 wrote to memory of 2800	3028	userinit.exe	31
PID 3028 wrote to memory of 2800	3028	userinit.exe	31
PID 3028 wrote to memory of 2868	3028	userinit.exe	32
PID 3028 wrote to memory of 2868	3028	userinit.exe	32
PID 3028 wrote to memory of 2868	3028	userinit.exe	32
PID 3028 wrote to memory of 2868	3028	userinit.exe	32
PID 3028 wrote to memory of 2612	3028	userinit.exe	33
PID 3028 wrote to memory of 2612	3028	userinit.exe	33
PID 3028 wrote to memory of 2612	3028	userinit.exe	33
PID 3028 wrote to memory of 2612	3028	userinit.exe	33
PID 3028 wrote to memory of 2956	3028	userinit.exe	34
PID 3028 wrote to memory of 2956	3028	userinit.exe	34
PID 3028 wrote to memory of 2956	3028	userinit.exe	34
PID 3028 wrote to memory of 2956	3028	userinit.exe	34
PID 3028 wrote to memory of 2540	3028	userinit.exe	35
PID 3028 wrote to memory of 2540	3028	userinit.exe	35
PID 3028 wrote to memory of 2540	3028	userinit.exe	35
PID 3028 wrote to memory of 2540	3028	userinit.exe	35
PID 3028 wrote to memory of 2436	3028	userinit.exe	36
PID 3028 wrote to memory of 2436	3028	userinit.exe	36
PID 3028 wrote to memory of 2436	3028	userinit.exe	36
PID 3028 wrote to memory of 2436	3028	userinit.exe	36
PID 3028 wrote to memory of 2348	3028	userinit.exe	37
PID 3028 wrote to memory of 2348	3028	userinit.exe	37
PID 3028 wrote to memory of 2348	3028	userinit.exe	37
PID 3028 wrote to memory of 2348	3028	userinit.exe	37
PID 3028 wrote to memory of 2128	3028	userinit.exe	38
PID 3028 wrote to memory of 2128	3028	userinit.exe	38
PID 3028 wrote to memory of 2128	3028	userinit.exe	38
PID 3028 wrote to memory of 2128	3028	userinit.exe	38
PID 3028 wrote to memory of 2104	3028	userinit.exe	39
PID 3028 wrote to memory of 2104	3028	userinit.exe	39
PID 3028 wrote to memory of 2104	3028	userinit.exe	39
PID 3028 wrote to memory of 2104	3028	userinit.exe	39
PID 3028 wrote to memory of 264	3028	userinit.exe	40
PID 3028 wrote to memory of 264	3028	userinit.exe	40
PID 3028 wrote to memory of 264	3028	userinit.exe	40
PID 3028 wrote to memory of 264	3028	userinit.exe	40
PID 3028 wrote to memory of 2296	3028	userinit.exe	41
PID 3028 wrote to memory of 2296	3028	userinit.exe	41
PID 3028 wrote to memory of 2296	3028	userinit.exe	41
PID 3028 wrote to memory of 2296	3028	userinit.exe	41
PID 3028 wrote to memory of 3040	3028	userinit.exe	42
PID 3028 wrote to memory of 3040	3028	userinit.exe	42
PID 3028 wrote to memory of 3040	3028	userinit.exe	42
PID 3028 wrote to memory of 3040	3028	userinit.exe	42
PID 3028 wrote to memory of 2084	3028	userinit.exe	43
PID 3028 wrote to memory of 2084	3028	userinit.exe	43
PID 3028 wrote to memory of 2084	3028	userinit.exe	43
PID 3028 wrote to memory of 2084	3028	userinit.exe	43
PID 3028 wrote to memory of 2412	3028	userinit.exe	44
PID 3028 wrote to memory of 2412	3028	userinit.exe	44
PID 3028 wrote to memory of 2412	3028	userinit.exe	44
PID 3028 wrote to memory of 2412	3028	userinit.exe	44
PID 3028 wrote to memory of 756	3028	userinit.exe	45
PID 3028 wrote to memory of 756	3028	userinit.exe	45
PID 3028 wrote to memory of 756	3028	userinit.exe	45
PID 3028 wrote to memory of 756	3028	userinit.exe	45

C:\Users\Admin\AppData\Local\Temp\d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe
"C:\Users\Admin\AppData\Local\Temp\d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02aN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
1.3MB

MD5
e1731afa2b8650d308d1ddb2a18b8730

SHA1
294df903102cb2eeed4698b5d114a348cb3238db

SHA256
d4ed87dd1c7afc62a1725b6fe79d4727f31eaa1969462fd00527410222f0a02a

SHA512
49b4ca85e2ef5d5ba7ad9946e1b1fc415477ca659b7f5bb6ed57059386e8141829fa0f11e111f31a92a6caa129ff88075439ea61a4d8426cbfa5561e3389378b

Download Submit
memory/264-162-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/264-716-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/540-454-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1036-242-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1376-446-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1948-584-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2084-202-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2084-785-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2104-148-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2104-149-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2128-135-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2132-324-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2228-535-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2276-591-0x0000000076D90000-0x0000000076E8A000-memory.dmp

Filesize
1000KB

Download
memory/2276-589-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2296-175-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2348-121-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2436-105-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2436-633-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2436-104-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2540-87-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2540-92-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2552-373-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2560-365-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2612-65-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2612-60-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2732-422-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2796-341-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2800-39-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2800-34-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2868-48-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2868-47-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2868-52-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2872-316-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2876-22-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2876-21-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2876-19-0x0000000002BD0000-0x0000000002D4D000-memory.dmp

Filesize
1.5MB

Download
memory/2876-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2876-0-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2956-75-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2956-78-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2996-860-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2996-255-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2996-256-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3000-269-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3028-106-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-170-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-225-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-236-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-237-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-230-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3028-213-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-196-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-200-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-253-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-250-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-270-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-268-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-183-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-279-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-278-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-295-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-291-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-303-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-304-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-184-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-171-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-333-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3028-227-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-161-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-157-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-410-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3028-901-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-146-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-143-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-130-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-479-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3028-17-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3028-128-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-552-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3028-117-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3028-113-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-114-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-100-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-707-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-85-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-733-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-758-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-768-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3028-16-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3028-810-0x0000000002D30000-0x0000000002EAD000-memory.dmp

Filesize
1.5MB

Download
memory/3056-414-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3060-495-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download