darkgate | 1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7

Analysis

max time kernel
154s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cda346f63d0573b10b068df355b53abd1abe75427db0925244d94a8.msi
Size

9.2MB
MD5

69f900118f985990f488121cd1cf5e2b
SHA1

33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
SHA256

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
SHA512

09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
SSDEEP

196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO

Score

10^/10

darkgate civilian1337 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

civilian1337

http://185.130.227.202

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
VPsTDMdPtonzYs
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
civilian1337

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 1328 created 2316	1328	Autoit3.exe	60
PID 1328 created 4332	1328	Autoit3.exe	98
PID 1328 created 2452	1328	Autoit3.exe	58
PID 1328 created 2344	1328	Autoit3.exe	59
PID 1328 created 4332	1328	Autoit3.exe	98
PID 1968 created 4016	1968	cmd.exe	46
PID 1968 created 2536	1968	cmd.exe	33
PID 1968 created 2536	1968	cmd.exe	33
PID 1968 created 2452	1968	cmd.exe	58
PID 1968 created 1160	1968	cmd.exe	32
PID 1968 created 2536	1968	cmd.exe	33
PID 1968 created 2452	1968	cmd.exe	58
PID 1968 created 3928	1968	cmd.exe	26
PID 1968 created 2316	1968	cmd.exe	60
PID 1968 created 3720	1968	cmd.exe	48
PID 1968 created 2452	1968	cmd.exe	58
PID 1968 created 2452	1968	cmd.exe	58
PID 1968 created 1160	1968	cmd.exe	32
PID 1968 created 2536	1968	cmd.exe	33
PID 1968 created 2316	1968	cmd.exe	60
PID 1968 created 544	1968	cmd.exe	97
PID 1968 created 3720	1968	cmd.exe	48
PID 1968 created 1160	1968	cmd.exe	32
PID 1968 created 2316	1968	cmd.exe	60
PID 1968 created 3928	1968	cmd.exe	26
PID 1968 created 2536	1968	cmd.exe	33
PID 1968 created 3720	1968	cmd.exe	48
PID 1968 created 2316	1968	cmd.exe	60
PID 1968 created 2452	1968	cmd.exe	58
PID 1968 created 1160	1968	cmd.exe	32
PID 1968 created 3928	1968	cmd.exe	26
PID 1968 created 2316	1968	cmd.exe	60
PID 1968 created 3720	1968	cmd.exe	48
PID 1968 created 2344	1968	cmd.exe	59
PID 1968 created 544	1968	cmd.exe	97
PID 1968 created 3848	1968	cmd.exe	47
PID 1968 created 2316	1968	cmd.exe	60
PID 1968 created 2344	1968	cmd.exe	59
PID 1968 created 4016	1968	cmd.exe	46
PID 1968 created 3928	1968	cmd.exe	26
PID 1968 created 2344	1968	cmd.exe	59
PID 1968 created 3720	1968	cmd.exe	48
PID 1968 created 3720	1968	cmd.exe	48
PID 1968 created 544	1968	cmd.exe	97
PID 1968 created 2452	1968	cmd.exe	58
PID 1968 created 3848	1968	cmd.exe	47
PID 1968 created 544	1968	cmd.exe	97
PID 1968 created 2344	1968	cmd.exe	59
PID 1968 created 4016	1968	cmd.exe	46
PID 1968 created 2344	1968	cmd.exe	59
PID 1968 created 3720	1968	cmd.exe	48
PID 1968 created 3928	1968	cmd.exe	26
PID 1968 created 2316	1968	cmd.exe	60
PID 1968 created 4016	1968	cmd.exe	46
PID 1968 created 544	1968	cmd.exe	97
PID 1968 created 4016	1968	cmd.exe	46
PID 1968 created 2344	1968	cmd.exe	59
PID 1968 created 544	1968	cmd.exe	97
PID 1968 created 1160	1968	cmd.exe	32
PID 1968 created 3928	1968	cmd.exe	26
PID 1968 created 4016	1968	cmd.exe	46
PID 1968 created 2344	1968	cmd.exe	59
PID 1968 created 2344	1968	cmd.exe	59
PID 1968 created 544	1968	cmd.exe	97

Blocklisted process makes network request 64 IoCs

flow	pid	Process
19	1968	cmd.exe
20	1968	cmd.exe
21	1968	cmd.exe
22	1968	cmd.exe
23	1968	cmd.exe
24	1968	cmd.exe
25	1968	cmd.exe
26	1968	cmd.exe
27	1968	cmd.exe
28	1968	cmd.exe
29	1968	cmd.exe
30	1968	cmd.exe
31	1968	cmd.exe
32	1968	cmd.exe
33	1968	cmd.exe
34	1968	cmd.exe
35	1968	cmd.exe
36	1968	cmd.exe
37	1968	cmd.exe
38	1968	cmd.exe
39	1968	cmd.exe
40	1968	cmd.exe
41	1968	cmd.exe
42	1968	cmd.exe
47	1968	cmd.exe
48	1968	cmd.exe
49	1968	cmd.exe
50	1968	cmd.exe
51	1968	cmd.exe
52	1968	cmd.exe
53	1968	cmd.exe
54	1968	cmd.exe
55	1968	cmd.exe
57	1968	cmd.exe
60	1968	cmd.exe
61	1968	cmd.exe
62	1968	cmd.exe
63	1968	cmd.exe
64	1968	cmd.exe
65	1968	cmd.exe
66	1968	cmd.exe
67	1968	cmd.exe
68	1968	cmd.exe
69	1968	cmd.exe
70	1968	cmd.exe
71	1968	cmd.exe
72	1968	cmd.exe
73	1968	cmd.exe
74	1968	cmd.exe
75	1968	cmd.exe
76	1968	cmd.exe
77	1968	cmd.exe
78	1968	cmd.exe
79	1968	cmd.exe
80	1968	cmd.exe
81	1968	cmd.exe
82	1968	cmd.exe
83	1968	cmd.exe
84	1968	cmd.exe
85	1968	cmd.exe
86	1968	cmd.exe
87	1968	cmd.exe
88	1968	cmd.exe
92	1968	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffaedda.lnk	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1640	windbg.exe
1328	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
4416	MsiExec.exe
1640	windbg.exe
4416	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2308	ICACLS.EXE
2240	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1328 set thread context of 1968	1328	Autoit3.exe	101

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIC7F4.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a5d5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a5d5.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB24.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSICB12.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2B99EF3E-10B9-44A2-AA7C-FA01E82FF4F3}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	Autoit3.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3468	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1052	msiexec.exe
1052	msiexec.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1328	Autoit3.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe
1968	cmd.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeShutdownPrivilege	756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	756	msiexec.exe
Token: SeSecurityPrivilege	1052	msiexec.exe
Token: SeCreateTokenPrivilege	756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	756	msiexec.exe
Token: SeLockMemoryPrivilege	756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	756	msiexec.exe
Token: SeMachineAccountPrivilege	756	msiexec.exe
Token: SeTcbPrivilege	756	msiexec.exe
Token: SeSecurityPrivilege	756	msiexec.exe
Token: SeTakeOwnershipPrivilege	756	msiexec.exe
Token: SeLoadDriverPrivilege	756	msiexec.exe
Token: SeSystemProfilePrivilege	756	msiexec.exe
Token: SeSystemtimePrivilege	756	msiexec.exe
Token: SeProfSingleProcessPrivilege	756	msiexec.exe
Token: SeIncBasePriorityPrivilege	756	msiexec.exe
Token: SeCreatePagefilePrivilege	756	msiexec.exe
Token: SeCreatePermanentPrivilege	756	msiexec.exe
Token: SeBackupPrivilege	756	msiexec.exe
Token: SeRestorePrivilege	756	msiexec.exe
Token: SeShutdownPrivilege	756	msiexec.exe
Token: SeDebugPrivilege	756	msiexec.exe
Token: SeAuditPrivilege	756	msiexec.exe
Token: SeSystemEnvironmentPrivilege	756	msiexec.exe
Token: SeChangeNotifyPrivilege	756	msiexec.exe
Token: SeRemoteShutdownPrivilege	756	msiexec.exe
Token: SeUndockPrivilege	756	msiexec.exe
Token: SeSyncAgentPrivilege	756	msiexec.exe
Token: SeEnableDelegationPrivilege	756	msiexec.exe
Token: SeManageVolumePrivilege	756	msiexec.exe
Token: SeImpersonatePrivilege	756	msiexec.exe
Token: SeCreateGlobalPrivilege	756	msiexec.exe
Token: SeBackupPrivilege	3392	vssvc.exe
Token: SeRestorePrivilege	3392	vssvc.exe
Token: SeAuditPrivilege	3392	vssvc.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
756	msiexec.exe
756	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
544	OpenWith.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4416	1052	msiexec.exe	87
PID 1052 wrote to memory of 4416	1052	msiexec.exe	87
PID 1052 wrote to memory of 4416	1052	msiexec.exe	87
PID 4416 wrote to memory of 2240	4416	MsiExec.exe	89
PID 4416 wrote to memory of 2240	4416	MsiExec.exe	89
PID 4416 wrote to memory of 2240	4416	MsiExec.exe	89
PID 4416 wrote to memory of 3132	4416	MsiExec.exe	91
PID 4416 wrote to memory of 3132	4416	MsiExec.exe	91
PID 4416 wrote to memory of 3132	4416	MsiExec.exe	91
PID 4416 wrote to memory of 1640	4416	MsiExec.exe	93
PID 4416 wrote to memory of 1640	4416	MsiExec.exe	93
PID 4416 wrote to memory of 1640	4416	MsiExec.exe	93
PID 1640 wrote to memory of 1328	1640	windbg.exe	94
PID 1640 wrote to memory of 1328	1640	windbg.exe	94
PID 1640 wrote to memory of 1328	1640	windbg.exe	94
PID 4416 wrote to memory of 2308	4416	MsiExec.exe	95
PID 4416 wrote to memory of 2308	4416	MsiExec.exe	95
PID 4416 wrote to memory of 2308	4416	MsiExec.exe	95
PID 1328 wrote to memory of 4332	1328	Autoit3.exe	98
PID 1328 wrote to memory of 4332	1328	Autoit3.exe	98
PID 1328 wrote to memory of 4332	1328	Autoit3.exe	98
PID 4332 wrote to memory of 3468	4332	cmd.exe	100
PID 4332 wrote to memory of 3468	4332	cmd.exe	100
PID 4332 wrote to memory of 3468	4332	cmd.exe	100
PID 1328 wrote to memory of 1968	1328	Autoit3.exe	101
PID 1328 wrote to memory of 1968	1328	Autoit3.exe	101
PID 1328 wrote to memory of 1968	1328	Autoit3.exe	101
PID 1328 wrote to memory of 1968	1328	Autoit3.exe	101
PID 1328 wrote to memory of 1968	1328	Autoit3.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1160

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:2536

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3720

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2344

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2316

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6cda346f63d0573b10b068df355b53abd1abe75427db0925244d94a8.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 763639917482008DE4D5D649997A9A9E
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2240
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3132
- - C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1328
    - - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - \??\c:\windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3468
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Drops startup file
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fdbaddf\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\fdbaddf\dbcfgcd\ehafbhh

Filesize
170B

MD5
7899a45bef3a504a4681a98a533b8771

SHA1
48a31107820f90827ce80fd576febe5b4ed4c602

SHA256
57a2dccec923e8751789cd73a96b02768deedd196b2a7ee713ce7cd3848de982

SHA512
c3c06b34a97dbd12fe77f051f9b00eaab386a1396f579a4563c5b4f8c01efc4a5b8907c34d31cd56fae63624c7fff69f624c67082185f4ce39cbfe4136a05f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files.cab

Filesize
8.9MB

MD5
3a4de3260c72e38f814cc2a7b2d42df7

SHA1
19458fb6838dd9d8be113b0b9983c7d77c12eb25

SHA256
411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7

SHA512
3493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\00001-337121377.png

Filesize
1.1MB

MD5
fd49f38e666f94abdbd9cc0bb842c29b

SHA1
36a00401a015d0719787d5a65c86784760ee93ff

SHA256
1f5620bf07b2c25dd18fea78288c48fb2f7b5f0a5cfc1ee6c8d8dbf6029c442f

SHA512
2fc40f776e84574f915e418c4b946097234faceb9902239015d2b80e683fe61d623035644055dddb6f7b92160b3c8663795f8a27bf16c5b137c7053cc9f4f612

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\00002-337121378.png

Filesize
1.0MB

MD5
f68d2ca13e1268dd79e95591b976ec45

SHA1
588454301e3c25065349740573282145aa0a5c7b

SHA256
af008f94fe42c29b1c7da7abe02e5edaaf9b89b1c8383e646ccfc8e0e7a66460

SHA512
a34b648c8453df91b88d7143237e5decf84a979bfe19a98ae5cff2d37081683236502ad2f62b585409cefae98da89e92acfc8665af40d3f7c9ece4c90e32ebae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\00003-337121379.png

Filesize
1.1MB

MD5
7dbe5e4b98d7601585cfb9697f265e0f

SHA1
da8477a2494b1436664c535d7c854bf778942a76

SHA256
c3c4c040c61bbf8432d4450e34b7101110de26e5e4671736d64535b06189a288

SHA512
38e8d0e103096fee998aae33179ad15eee50acc57236bb75bf115f99bd7fa1e1d5fe386ab9a3adcced910f5114c36459c06b55b2218e8020832066eea3755d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\00004-337121380.png

Filesize
1.0MB

MD5
85da5b7fd4b6983fffe78853c5276c03

SHA1
49a68d92beabfdfce7b2939f35a7b3e4bdc2bc96

SHA256
ff2a43f449bf81510c74eee9cd867bef4226c9c909b698e636ca8c56135d57ba

SHA512
c1d19bde8f9d434e29322edb8ac8892a475385bf97b5afd2f655175f1da6ce3ebc9df196585f3ea6a2a1755a1ec0fba2b60f203408ceebbea7801f4d1ab92f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\00005-337121381.png

Filesize
1.0MB

MD5
602b44b5e0a94c61c7ae501966eb4fd5

SHA1
853f5c83bedd4523cb72ca127cc6c269ac99e2d9

SHA256
2e3feac0a21a7fa351458ef1fed86f6f7a282c15fbc7f21cac29f874db9da4f3

SHA512
e7fe6c8965a35faecb3ab7bf6a3f8ed7a58aba891c5d5a2addec6aeda4a6790cef78a7874a386d89327d6bcb1e90ad376444d37d44fd0c604d6905dbd7ac6c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\00007-337121383.png

Filesize
1.1MB

MD5
9a40cf65a81a8f618a4f562e2494a557

SHA1
3b06e119cc017bbe99c06906779f40f2d04b08ad

SHA256
087b59e3bfe212a96303f20122e9b9636753956fedaf2e1c8336e2e08c39f4e6

SHA512
745722fdeeb9d5f9011825d4826fb3c7c0fdeb0751a156a396b537c458854c376aac60a4709036ebf78e6d2d27cfeb302ef52ecfb1bfa3a6c238240d98839920

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\00008-337121384.png

Filesize
1.1MB

MD5
452b0afd9436be767a0ee61e98ef0356

SHA1
736f12f84f8af0bd04f5b207f31cba8dd359ae03

SHA256
0348e5297e8040b2cc3e83e2c6edf6ccbfa122af0b3880ebd079c0dda3286c9a

SHA512
2fc4deaadd35f691aca0af4fb2e36201a2f68e7f7dcda9fe4da01d0b72c4cb8e448ca69d90d1cb230abfc2dc795ff785c1a1b2e95b5ab8fc0833d86013660338

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\data2.bin

Filesize
1.8MB

MD5
7673659bf664bd45a6f3c38b7d1c25d3

SHA1
a9b40ab4590b77887417ec33ecd061c98490176a

SHA256
41339e85c54f960b04039fd47df735c5ce78d99ede511364c8c8c2ad81f38c7d

SHA512
14ca50e20b3830765e8f116fc48ea49faabf3e7ede9f8768d5d0e70803d466ef506fe953f53057eb7e2f78009029d87b780c78127e1026b161bb095bf8c4ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\dataPicture.jpg

Filesize
159KB

MD5
008b295295c49c6d07161baff5f7212b

SHA1
f89d13817531957967be21327c8180a35960d04d

SHA256
9f42965324b20db9ad4b9ab00217eade01e6978d9e68d03669adbe9a9fe66134

SHA512
6d8aae2cca7f283c0b850236763a0cb51947053b50758e4be7515ce76fc4e47876e6478e08934922e57ba9646e2fe35be23369617b7904038eee452ba363495e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\msiwrapper.ini

Filesize
1KB

MD5
9f3f8d71305356029dd0653ae8bceace

SHA1
c8cf7f27291fd0720a1bde9e13581eb9f86887b8

SHA256
2c5364e554ad766f129d854f4ea1507a9583487c7c5de7360d4b637ef4cfe3cd

SHA512
693a8eb28600411773e1a48b0dcd3274c8f8538596dfd7ad7e47cabc79e1a71853742a1a8dd9c57bd0c4eca9dbf5f9a7e0f22fe59404a89b3e57c47419f13bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\msiwrapper.ini

Filesize
330B

MD5
09923858452cbe3b21e40abb6d5943ac

SHA1
4022e49b736ffc6f3e62bfeeb0142e174ba462c1

SHA256
81b2d70151c9c901edc126d8c54ee189e3555e57a45813a9f86206e2be780c08

SHA512
afa436adaadca9865dea9c7bcccd03435ce9e7ca4e55e22fd422848ff96cd54f469250ac393d16698af0134a3e3adc110ce00adda437caea1a4599c7b9e3c5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\msiwrapper.ini

Filesize
1010B

MD5
750531e892a313f46e7616ecab83605a

SHA1
c8dce7a95bfa303ada6366245d24cf79e4583509

SHA256
16edba0909a8d17d85af28e428bbe6d57baa7f97c9296861e81954d7ee95541c

SHA512
ce84a81844baac976a543c53cc6a3600a2bf713b4fac51b809fd9a327c9867c95ada78bc3c120b4060052fe058bf63c8c907a2b5826aefbdd144f1d595b143a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\msiwrapper.ini

Filesize
1KB

MD5
2129d9b541982e5ee6d7e4616c1c7248

SHA1
9bf5c2b4d373ab5e39f982f13b7f2fa7a4757d33

SHA256
25403d3fc68de2515047edae1d7a39015cd2ab8bb1b5298e46c3a3da3e2218e5

SHA512
a006c49fd49d48e62e72cc560e7158718b7f048336ffd855c2b8775b274180e5ed715f19a16c9111b9a513608033af34a50e0bd91204a9f80b08ced315102ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ec393f7e-2dd0-481d-bf26-50c6afbc049c\msiwrapper.ini

Filesize
1KB

MD5
2129d9b541982e5ee6d7e4616c1c7248

SHA1
9bf5c2b4d373ab5e39f982f13b7f2fa7a4757d33

SHA256
25403d3fc68de2515047edae1d7a39015cd2ab8bb1b5298e46c3a3da3e2218e5

SHA512
a006c49fd49d48e62e72cc560e7158718b7f048336ffd855c2b8775b274180e5ed715f19a16c9111b9a513608033af34a50e0bd91204a9f80b08ced315102ace

Download Submit
C:\Windows\Installer\MSIAB24.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIAB24.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSICB12.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSICB12.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\hhddeff.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
\??\c:\tmpa\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\script.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
memory/1328-120-0x0000000004210000-0x000000000453A000-memory.dmp

Filesize
3.2MB

Download
memory/1328-136-0x0000000004210000-0x000000000453A000-memory.dmp

Filesize
3.2MB

Download
memory/1328-137-0x0000000004210000-0x000000000453A000-memory.dmp

Filesize
3.2MB

Download
memory/1328-138-0x0000000004210000-0x000000000453A000-memory.dmp

Filesize
3.2MB

Download
memory/1328-135-0x0000000004210000-0x000000000453A000-memory.dmp

Filesize
3.2MB

Download
memory/1328-140-0x0000000000F70000-0x0000000001370000-memory.dmp

Filesize
4.0MB

Download
memory/1328-110-0x0000000000F70000-0x0000000001370000-memory.dmp

Filesize
4.0MB

Download
memory/1640-106-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1640-101-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/1968-160-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-181-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-142-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-149-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-150-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-141-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-156-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-157-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-158-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-159-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-139-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-161-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-162-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-163-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-164-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-165-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-166-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-167-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-168-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-169-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-170-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-171-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-172-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-173-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-174-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-175-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-176-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-177-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-178-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-179-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-180-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-144-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-182-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-185-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-187-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-186-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-188-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-189-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-190-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-191-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-192-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-193-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-194-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-195-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-196-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-197-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-199-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-200-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-201-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-202-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-203-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-204-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-205-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-206-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-207-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-208-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-209-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-210-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-212-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-211-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1968-213-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download