cybergate | 6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be

Analysis

max time kernel
181s
max time network
181s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe
Size

1.1MB
MD5

94bc558632c9f3e51e55e940cad61b97
SHA1

cf29db7c9b0a3cbab365ca7ea4fe2595d9173775
SHA256

6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be
SHA512

2a0ecb63082cdbb5ac2c12a6a2be34583e63077a9402e25d78030a990c051cd0cee7991b838c295e33ad599e893f09e96c1278cc888533ff204069ea92e4bd5b
SSDEEP

24576:cbRtE13E0PVm7SEYIsij5jiuGCSdSX19G158g3dMNYyQqV5:eRSNhEeEYK5GuzCSXnMD3y+

Score

10^/10

cybergate l2ru agilenet persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

l2ru

brosto.strangled.net:81

brosto.strangled.net:4123

brosto.strangled.net:6745

brosto.strangled.net:7534

brosto.strangled.net:7653

sasaze.chickenkiller.com:7875

sasaze.chickenkiller.com:8545

sasaze.chickenkiller.com:8642

sasaze.chickenkiller.com:8742

sasaze.chickenkiller.com:8954

brostod.jumpingcrab.com:9647

brostod.jumpingcrab.com:9743

brostod.jumpingcrab.com:9866

brostod.jumpingcrab.com:10535

brostod.jumpingcrab.com:10877

1844205166:53575

1844205166:58656

1844205166:59534

1844205166:59642

Mutex

0I0Q6R81O8WD50

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
interface
install_file
csrsc.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
a123123123
regkey_hkcu
exploruse
regkey_hklm
exploruse

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskmgi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\taskmgi = "C:\\Program Files (x86)\\interface\\csrsc.exe"	taskmgi.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	taskmgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\taskmgi = "C:\\Program Files (x86)\\interface\\csrsc.exe"	taskmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	taskmgi.exe

Executes dropped EXE 17 IoCs

Processes:

taskmgi.exetaskmgi.exeIpOverUsbSvrc.exetaskmgi.exetaskmgi.exetaskmgi.exeatiesrx.exetaskmgi.exetaskmgi.exetaskmgi.exetaskmgi.exeatiesrx.exetaskmgi.exeatiesrx.exetaskmgi.exeatiesrx.exetaskmgi.exe

pid	process
1844	taskmgi.exe
1560	taskmgi.exe
2032	IpOverUsbSvrc.exe
1736	taskmgi.exe
1676	taskmgi.exe
1656	taskmgi.exe
1160	atiesrx.exe
1192	taskmgi.exe
924	taskmgi.exe
320	taskmgi.exe
432	taskmgi.exe
532	atiesrx.exe
984	taskmgi.exe
316	atiesrx.exe
1000	taskmgi.exe
2108	atiesrx.exe
2212	taskmgi.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskmgi.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DKM57NUC-LC15-75Q4-2YS1-123TQUUEDRMB}	taskmgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DKM57NUC-LC15-75Q4-2YS1-123TQUUEDRMB}\StubPath = "C:\\Program Files (x86)\\interface\\csrsc.exe Restart"	taskmgi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DKM57NUC-LC15-75Q4-2YS1-123TQUUEDRMB}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DKM57NUC-LC15-75Q4-2YS1-123TQUUEDRMB}\StubPath = "C:\\Program Files (x86)\\interface\\csrsc.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1560-88-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1560-97-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1224-102-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1224-105-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1560-107-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral1/memory/1560-114-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral1/memory/1756-119-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral1/memory/1756-120-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral1/memory/1756-173-0x0000000010560000-0x00000000105D0000-memory.dmp	upx

Drops startup file 3 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrsc.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrsc.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	explorer.exe

Loads dropped DLL 3 IoCs

Processes:

6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exetaskmgi.exeIpOverUsbSvrc.exe

pid process

1788 6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe
1844 taskmgi.exe
2032 IpOverUsbSvrc.exe

Obfuscated with Agile.Net obfuscator 21 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Program Files (x86)\interface\csrsc.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe	agile_net

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskmgi.exeIpOverUsbSvrc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	taskmgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\exploruse = "C:\\Program Files (x86)\\interface\\csrsc.exe"	taskmgi.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	taskmgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\exploruse = "C:\\Program Files (x86)\\interface\\csrsc.exe"	taskmgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

taskmgi.exeatiesrx.exe

description	pid	process	target process
PID 1844 set thread context of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 set thread context of 1736	1844	taskmgi.exe	taskmgi.exe
PID 1844 set thread context of 1676	1844	taskmgi.exe	taskmgi.exe
PID 1844 set thread context of 1656	1844	taskmgi.exe	taskmgi.exe
PID 1844 set thread context of 1192	1844	taskmgi.exe	taskmgi.exe
PID 1844 set thread context of 924	1844	taskmgi.exe	taskmgi.exe
PID 1844 set thread context of 320	1844	taskmgi.exe	taskmgi.exe
PID 1844 set thread context of 432	1844	taskmgi.exe	taskmgi.exe
PID 1160 set thread context of 532	1160	atiesrx.exe	atiesrx.exe
PID 1844 set thread context of 984	1844	taskmgi.exe	taskmgi.exe
PID 1160 set thread context of 316	1160	atiesrx.exe	atiesrx.exe
PID 1844 set thread context of 1000	1844	taskmgi.exe	taskmgi.exe
PID 1160 set thread context of 2108	1160	atiesrx.exe	atiesrx.exe
PID 1844 set thread context of 2212	1844	taskmgi.exe	taskmgi.exe

Drops file in Program Files directory 2 IoCs

Processes:

taskmgi.exe

description	ioc	process
File created	C:\Program Files (x86)\interface\csrsc.exe	taskmgi.exe
File opened for modification	C:\Program Files (x86)\interface\csrsc.exe	taskmgi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exetaskmgi.exetaskmgi.exetaskmgi.exetaskmgi.exetaskmgi.exeIpOverUsbSvrc.exetaskmgi.exe

pid	process
1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1560	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1736	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1676	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1656	taskmgi.exe
1844	taskmgi.exe
2032	IpOverUsbSvrc.exe
1844	taskmgi.exe
1844	taskmgi.exe
2032	IpOverUsbSvrc.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
1844	taskmgi.exe
2032	IpOverUsbSvrc.exe
1844	taskmgi.exe
1192	taskmgi.exe
1844	taskmgi.exe
2032	IpOverUsbSvrc.exe
1844	taskmgi.exe
1844	taskmgi.exe
2032	IpOverUsbSvrc.exe
1844	taskmgi.exe
1844	taskmgi.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exetaskmgi.exeexplorer.exeIpOverUsbSvrc.exeatiesrx.exe

description	pid	process
Token: SeDebugPrivilege	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe
Token: SeDebugPrivilege	1844	taskmgi.exe
Token: SeDebugPrivilege	1756	explorer.exe
Token: SeDebugPrivilege	1756	explorer.exe
Token: SeDebugPrivilege	2032	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1160	atiesrx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

taskmgi.exe

pid process

1560 taskmgi.exe

pid	process
1560	taskmgi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exetaskmgi.exetaskmgi.exe

description	pid	process	target process
PID 1788 wrote to memory of 1844	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	taskmgi.exe
PID 1788 wrote to memory of 1844	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	taskmgi.exe
PID 1788 wrote to memory of 1844	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	taskmgi.exe
PID 1788 wrote to memory of 1844	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	taskmgi.exe
PID 1788 wrote to memory of 364	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	AppLaunch.exe
PID 1788 wrote to memory of 364	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	AppLaunch.exe
PID 1788 wrote to memory of 364	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	AppLaunch.exe
PID 1788 wrote to memory of 364	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	AppLaunch.exe
PID 1788 wrote to memory of 364	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	AppLaunch.exe
PID 1788 wrote to memory of 364	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	AppLaunch.exe
PID 1788 wrote to memory of 364	1788	6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe	AppLaunch.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 1560	1844	taskmgi.exe	taskmgi.exe
PID 1844 wrote to memory of 2032	1844	taskmgi.exe	IpOverUsbSvrc.exe
PID 1844 wrote to memory of 2032	1844	taskmgi.exe	IpOverUsbSvrc.exe
PID 1844 wrote to memory of 2032	1844	taskmgi.exe	IpOverUsbSvrc.exe
PID 1844 wrote to memory of 2032	1844	taskmgi.exe	IpOverUsbSvrc.exe
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE
PID 1560 wrote to memory of 1232	1560	taskmgi.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe
"C:\Users\Admin\AppData\Local\Temp\6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:1224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:708

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
5⤵
- Executes dropped EXE
PID:532

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
5⤵
- Executes dropped EXE
PID:316

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
5⤵
- Executes dropped EXE
PID:2108

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
PID:924

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
PID:320

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
PID:432

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
PID:984

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
PID:1000

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe"
3⤵
- Executes dropped EXE
PID:2212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:364

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\interface\csrsc.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
234KB

MD5
18fa8d0edb33c23bd6f8e456ac8e003f

SHA1
e8b1ee29d2ae5adc83eb9529789b922e5fada004

SHA256
385ea57f9870172465be392213d9647a22641d2526a1e78cdde2ed5fd55349f3

SHA512
b41a1786faaf372c688f2ea0b915b4d8664e8923c78de8a576ae790cc92b6f305190048097ae661779ed2a902c4d528518c8c784156dc972cec239c4148f3458

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
11KB

MD5
5249a17cb09bb8d857feb19c047a894b

SHA1
c9e8a8f6cf2d4f14c68b85f409a2d50a57114c79

SHA256
79c10fbcc5f86767857e5193096dcb866dff14e039da6bfa07c7cbd9095b99f1

SHA512
56bfecdc10e0d5e89a9fad91a033fe7f81c673e1167cd994fd5f57c126c02563d18d734713da82d3e30e47201920e49059ff169d0ba486d8be835688e0856d23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
11KB

MD5
5249a17cb09bb8d857feb19c047a894b

SHA1
c9e8a8f6cf2d4f14c68b85f409a2d50a57114c79

SHA256
79c10fbcc5f86767857e5193096dcb866dff14e039da6bfa07c7cbd9095b99f1

SHA512
56bfecdc10e0d5e89a9fad91a033fe7f81c673e1167cd994fd5f57c126c02563d18d734713da82d3e30e47201920e49059ff169d0ba486d8be835688e0856d23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
11KB

MD5
5249a17cb09bb8d857feb19c047a894b

SHA1
c9e8a8f6cf2d4f14c68b85f409a2d50a57114c79

SHA256
79c10fbcc5f86767857e5193096dcb866dff14e039da6bfa07c7cbd9095b99f1

SHA512
56bfecdc10e0d5e89a9fad91a033fe7f81c673e1167cd994fd5f57c126c02563d18d734713da82d3e30e47201920e49059ff169d0ba486d8be835688e0856d23

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskmgi.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
637KB

MD5
4ee1ef4173b77e19dba093131bd4d7a1

SHA1
02558a3eea6a0b9bcfcf632e869416129bcc0978

SHA256
e322681aab8155ab06bc9081bd79d31ec86b744932fa8d2056334182a2cf1348

SHA512
ef4e539399f9c45d25c3158e9ba6b69e21238e8fc45ec6614c0856eaa0fca16b93e81526a54c1cf40abfba228aae7a4db2d7460d1f0b28db3dd7ed4cc8a713a8

Download Submit
memory/316-299-0x0000000000409860-mapping.dmp

Download
memory/320-225-0x0000000000409860-mapping.dmp

Download
memory/320-231-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/320-232-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/432-243-0x0000000000409860-mapping.dmp

Download
memory/432-248-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/432-272-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/532-259-0x0000000000409860-mapping.dmp

Download
memory/924-213-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/924-208-0x0000000000409860-mapping.dmp

Download
memory/924-214-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/984-301-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/984-283-0x0000000000409860-mapping.dmp

Download
memory/984-288-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1000-312-0x0000000000409860-mapping.dmp

Download
memory/1000-341-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1000-317-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1160-230-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1160-179-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1160-176-0x0000000000000000-mapping.dmp

Download
memory/1192-197-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1192-196-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1192-191-0x0000000000409860-mapping.dmp

Download
memory/1224-96-0x0000000071C51000-0x0000000071C53000-memory.dmp

Filesize
8KB

Download
memory/1224-105-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1224-102-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1224-94-0x0000000000000000-mapping.dmp

Download
memory/1232-91-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1560-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-69-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-97-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1560-88-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1560-107-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/1560-72-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-85-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-114-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/1560-74-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-65-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-121-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-68-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-75-0x0000000000409860-mapping.dmp

Download
memory/1560-80-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-71-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1656-172-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1656-180-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1656-167-0x0000000000409860-mapping.dmp

Download
memory/1676-154-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1676-156-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1676-149-0x0000000000409860-mapping.dmp

Download
memory/1736-138-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1736-137-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1736-132-0x0000000000409860-mapping.dmp

Download
memory/1756-119-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/1756-173-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/1756-120-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/1756-111-0x0000000000000000-mapping.dmp

Download
memory/1788-62-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-54-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1788-56-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-55-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1844-63-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1844-64-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1844-58-0x0000000000000000-mapping.dmp

Download
memory/2032-81-0x0000000000000000-mapping.dmp

Download
memory/2032-86-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-155-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/2108-328-0x0000000000409860-mapping.dmp

Download
memory/2212-352-0x0000000000409860-mapping.dmp

Download