darkgate | 1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7

Analysis

max time kernel
74s
max time network
76s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
23-01-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
Size

9.2MB
MD5

69f900118f985990f488121cd1cf5e2b
SHA1

33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
SHA256

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
SHA512

09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
SSDEEP

196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO

Score

10^/10

darkgate civilian1337 discovery stealer

Malware Config

Extracted

Family

darkgate

Version

5.2.4

Botnet

civilian1337

http://185.130.227.202

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
true
crypto_key
VPsTDMdPtonzYs
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
civilian1337

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 50 IoCs

description	pid	Process	procid_target
PID 4212 created 656	4212	Autoit3.exe	22
PID 4212 created 2972	4212	Autoit3.exe	38
PID 4212 created 2000	4212	Autoit3.exe	86
PID 4212 created 5084	4212	Autoit3.exe	23
PID 4212 created 3616	4212	Autoit3.exe	17
PID 2732 created 2972	2732	cmd.exe	38
PID 2732 created 2972	2732	cmd.exe	38
PID 2732 created 3460	2732	cmd.exe	31
PID 2732 created 3068	2732	cmd.exe	36
PID 2732 created 2000	2732	cmd.exe	86
PID 2732 created 3624	2732	cmd.exe	33
PID 2732 created 3616	2732	cmd.exe	17
PID 2732 created 3616	2732	cmd.exe	17
PID 2732 created 5084	2732	cmd.exe	23
PID 2732 created 3624	2732	cmd.exe	33
PID 2732 created 5084	2732	cmd.exe	23
PID 2732 created 3460	2732	cmd.exe	31
PID 2732 created 3876	2732	cmd.exe	32
PID 2732 created 5084	2732	cmd.exe	23
PID 2732 created 3616	2732	cmd.exe	17
PID 2732 created 3876	2732	cmd.exe	32
PID 2732 created 2972	2732	cmd.exe	38
PID 2732 created 2992	2732	cmd.exe	37
PID 2732 created 3068	2732	cmd.exe	36
PID 2732 created 3068	2732	cmd.exe	36
PID 2732 created 3624	2732	cmd.exe	33
PID 2732 created 3624	2732	cmd.exe	33
PID 2732 created 3984	2732	cmd.exe	93
PID 2732 created 3068	2732	cmd.exe	36
PID 2732 created 3068	2732	cmd.exe	36
PID 2732 created 3876	2732	cmd.exe	32
PID 2732 created 3624	2732	cmd.exe	33
PID 2732 created 2992	2732	cmd.exe	37
PID 2732 created 656	2732	cmd.exe	22
PID 2732 created 2992	2732	cmd.exe	37
PID 2732 created 3460	2732	cmd.exe	31
PID 2732 created 3068	2732	cmd.exe	36
PID 2732 created 5084	2732	cmd.exe	23
PID 2732 created 3624	2732	cmd.exe	33
PID 2732 created 3068	2732	cmd.exe	36
PID 2732 created 3984	2732	cmd.exe	93
PID 2732 created 2972	2732	cmd.exe	38
PID 2732 created 2972	2732	cmd.exe	38
PID 2732 created 3616	2732	cmd.exe	17
PID 2732 created 2992	2732	cmd.exe	37
PID 2732 created 3876	2732	cmd.exe	32
PID 2732 created 2992	2732	cmd.exe	37
PID 2732 created 3068	2732	cmd.exe	36
PID 2732 created 2992	2732	cmd.exe	37
PID 2732 created 656	2732	cmd.exe	22

Blocklisted process makes network request 22 IoCs

flow	pid	Process
7	2732	cmd.exe
8	2732	cmd.exe
9	2732	cmd.exe
10	2732	cmd.exe
14	2732	cmd.exe
15	2732	cmd.exe
16	2732	cmd.exe
17	2732	cmd.exe
18	2732	cmd.exe
19	2732	cmd.exe
20	2732	cmd.exe
23	2732	cmd.exe
24	2732	cmd.exe
25	2732	cmd.exe
26	2732	cmd.exe
27	2732	cmd.exe
28	2732	cmd.exe
29	2732	cmd.exe
30	2732	cmd.exe
33	2732	cmd.exe
36	2732	cmd.exe
37	2732	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cfcbfdf.lnk	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2496	windbg.exe
4212	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
828	MsiExec.exe
2496	windbg.exe
828	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3736	ICACLS.EXE
1748	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4212 set thread context of 2732	4212	Autoit3.exe	92

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5792f9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5792f9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI9962.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9963.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2B99EF3E-10B9-44A2-AA7C-FA01E82FF4F3}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\.bin\ = "bin_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\bin_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\bin_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\bin_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\.bin	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\bin_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\bin_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\bin_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\bin_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\bin_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1708	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
784	msiexec.exe
784	msiexec.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
4212	Autoit3.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2732	cmd.exe
2000	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3868	msiexec.exe
Token: SeSecurityPrivilege	784	msiexec.exe
Token: SeCreateTokenPrivilege	3868	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3868	msiexec.exe
Token: SeLockMemoryPrivilege	3868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3868	msiexec.exe
Token: SeMachineAccountPrivilege	3868	msiexec.exe
Token: SeTcbPrivilege	3868	msiexec.exe
Token: SeSecurityPrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeLoadDriverPrivilege	3868	msiexec.exe
Token: SeSystemProfilePrivilege	3868	msiexec.exe
Token: SeSystemtimePrivilege	3868	msiexec.exe
Token: SeProfSingleProcessPrivilege	3868	msiexec.exe
Token: SeIncBasePriorityPrivilege	3868	msiexec.exe
Token: SeCreatePagefilePrivilege	3868	msiexec.exe
Token: SeCreatePermanentPrivilege	3868	msiexec.exe
Token: SeBackupPrivilege	3868	msiexec.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeShutdownPrivilege	3868	msiexec.exe
Token: SeDebugPrivilege	3868	msiexec.exe
Token: SeAuditPrivilege	3868	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3868	msiexec.exe
Token: SeChangeNotifyPrivilege	3868	msiexec.exe
Token: SeRemoteShutdownPrivilege	3868	msiexec.exe
Token: SeUndockPrivilege	3868	msiexec.exe
Token: SeSyncAgentPrivilege	3868	msiexec.exe
Token: SeEnableDelegationPrivilege	3868	msiexec.exe
Token: SeManageVolumePrivilege	3868	msiexec.exe
Token: SeImpersonatePrivilege	3868	msiexec.exe
Token: SeCreateGlobalPrivilege	3868	msiexec.exe
Token: SeBackupPrivilege	5056	vssvc.exe
Token: SeRestorePrivilege	5056	vssvc.exe
Token: SeAuditPrivilege	5056	vssvc.exe
Token: SeBackupPrivilege	784	msiexec.exe
Token: SeRestorePrivilege	784	msiexec.exe
Token: SeRestorePrivilege	784	msiexec.exe
Token: SeTakeOwnershipPrivilege	784	msiexec.exe
Token: SeRestorePrivilege	784	msiexec.exe
Token: SeTakeOwnershipPrivilege	784	msiexec.exe
Token: SeBackupPrivilege	2344	srtasks.exe
Token: SeRestorePrivilege	2344	srtasks.exe
Token: SeSecurityPrivilege	2344	srtasks.exe
Token: SeTakeOwnershipPrivilege	2344	srtasks.exe
Token: SeBackupPrivilege	2344	srtasks.exe
Token: SeRestorePrivilege	2344	srtasks.exe
Token: SeSecurityPrivilege	2344	srtasks.exe
Token: SeTakeOwnershipPrivilege	2344	srtasks.exe
Token: SeRestorePrivilege	784	msiexec.exe
Token: SeTakeOwnershipPrivilege	784	msiexec.exe
Token: SeRestorePrivilege	784	msiexec.exe
Token: SeTakeOwnershipPrivilege	784	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3868	msiexec.exe
3868	msiexec.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe
2000	OpenWith.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2344	784	msiexec.exe	77
PID 784 wrote to memory of 2344	784	msiexec.exe	77
PID 784 wrote to memory of 828	784	msiexec.exe	79
PID 784 wrote to memory of 828	784	msiexec.exe	79
PID 784 wrote to memory of 828	784	msiexec.exe	79
PID 828 wrote to memory of 3736	828	MsiExec.exe	80
PID 828 wrote to memory of 3736	828	MsiExec.exe	80
PID 828 wrote to memory of 3736	828	MsiExec.exe	80
PID 828 wrote to memory of 1096	828	MsiExec.exe	82
PID 828 wrote to memory of 1096	828	MsiExec.exe	82
PID 828 wrote to memory of 1096	828	MsiExec.exe	82
PID 828 wrote to memory of 2496	828	MsiExec.exe	84
PID 828 wrote to memory of 2496	828	MsiExec.exe	84
PID 828 wrote to memory of 2496	828	MsiExec.exe	84
PID 2496 wrote to memory of 4212	2496	windbg.exe	91
PID 2496 wrote to memory of 4212	2496	windbg.exe	91
PID 2496 wrote to memory of 4212	2496	windbg.exe	91
PID 828 wrote to memory of 1748	828	MsiExec.exe	85
PID 828 wrote to memory of 1748	828	MsiExec.exe	85
PID 828 wrote to memory of 1748	828	MsiExec.exe	85
PID 4212 wrote to memory of 764	4212	Autoit3.exe	89
PID 4212 wrote to memory of 764	4212	Autoit3.exe	89
PID 4212 wrote to memory of 764	4212	Autoit3.exe	89
PID 764 wrote to memory of 1708	764	cmd.exe	87
PID 764 wrote to memory of 1708	764	cmd.exe	87
PID 764 wrote to memory of 1708	764	cmd.exe	87
PID 4212 wrote to memory of 2732	4212	Autoit3.exe	92
PID 4212 wrote to memory of 2732	4212	Autoit3.exe	92
PID 4212 wrote to memory of 2732	4212	Autoit3.exe	92
PID 4212 wrote to memory of 2732	4212	Autoit3.exe	92
PID 4212 wrote to memory of 2732	4212	Autoit3.exe	92
PID 2000 wrote to memory of 3984	2000	OpenWith.exe	93
PID 2000 wrote to memory of 3984	2000	OpenWith.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3616

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:656

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:5084

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3624

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3068

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2992

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2972

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B4764614DE61848534E1871D0C699239
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3736
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1096
- - C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Drops startup file
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2732
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\data.bin
  2⤵
  PID:3984

\??\c:\windows\SysWOW64\PING.EXE
ping 127.0.0.1
1⤵
- Runs ping.exe
PID:1708

\??\c:\windows\SysWOW64\cmd.exe
"c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit
1⤵
- Suspicious use of WriteProcessMemory
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bfcaadh\Autoit3.exe

Filesize
64KB

MD5
c20ac95a96af05227875d7060bfb9fc2

SHA1
26d2c5d5774731f7ee49636f692bf1712530e8fe

SHA256
00457e22fc18fa4adc06c0b52d008a1b9e117176df4b8a56e71586eeae74146c

SHA512
d305eea0f714d0de07a8b49ea295c7eaba5aed5e9812a604a2c5f39bf1f85f9df0544bd64d7ee2cf7be6b6937ecb917ac851bf2b0585d17c6932b591cf007fc8

Download Submit
C:\ProgramData\bfcaadh\aaafbhc\bhhhehb

Filesize
170B

MD5
016a6319100d56090023c4da8345f137

SHA1
062d7c7554dc1e088fd801ea7d5330b3bcaede7b

SHA256
0f4c8c4151b00d1d09da8e32c9bfe59c976e06e8f75840b90772ae003c0535b2

SHA512
1b541cfe677e10caba2771458a60e0c4ffdacaaf3b1563b524035b9b63edeed3bc4a9ece2e853b9ec1be5a7f3584a6b4c3b447413598b7d6bd6137c18bdb84ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files.cab

Filesize
706KB

MD5
36cfd835269ebb8eef7c09c4265afac2

SHA1
c9f727da77bd58dcfc9848937219fc9ce426b33e

SHA256
c4967528ed39f6d19263f478544f6b3e65e192130fff92e4ad5a57d2a0dc8f8b

SHA512
346bfea789197784d89c791fb51b90e9367b7eb4ce9b8d5dd6d96bef56d04cb85c3708a7a7d1be87e010eaf7b606ce7ae43fc8fde747be57d5a7a88337cbcda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\00001-337121377.png

Filesize
166KB

MD5
e2d18b311e5f37f04e2aa514125fc4f6

SHA1
17ef9946557cff84df93e76a538498da3fe5ea70

SHA256
f2768d463d70031546cccb5e4b6268a1653ac69f86375ebd4e94f706898c29ae

SHA512
8f352ef8e83ff3b46918fe0eca795ea558a5e6ea19e7bbe9166a125699f73e2da2225f697856d9e250df2e60b644af5263dc08e75d23240a136125b46a230386

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\00002-337121378.png

Filesize
163KB

MD5
e0fcfac97bd0882a13c4b1f708f58045

SHA1
e6f429e4249edfcd6a0b5135f9146aee649811d4

SHA256
8ddb06c2b2d03b21ab895eeffc295de71dbe2fdb7aeb96c0ad5b4ac1317b867d

SHA512
372ac2c95f54cf87a7643b65166b7bd8b261e46106adc7d1c89a580b9267e9e4c7397be5637f80125a5544b3c8530d7b6786100c24661b9af26f2dde506bcbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\00003-337121379.png

Filesize
182KB

MD5
aa17e45e1b28680bcb81dfa31e44e312

SHA1
cfc4178053f2b4058a7120fb9033254820c7f056

SHA256
eb3798f087e0d65ba01ee2ae3460bf2e128bbd3d9db5e7304d670b76fe0e8d01

SHA512
bcdf20b8d7afffd20ecbd859ad5409a08cfeb893e3d281cc364ac7598acdfb4ce151d142234fd424c09a3c1ea045f23066e4ff28757a2d007866045655a3c323

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\00004-337121380.png

Filesize
224KB

MD5
4180cbc3a53146eb8536be4784ca2f07

SHA1
ccad77a281fee39d8e2e611ca80e706f5afaba11

SHA256
7afee65b7ffbb2c8ce281d67ef8ac3e7c4d777ba58d660382d82b27aab5ec76d

SHA512
d0bcefaf526bfdba88e5681dce7f6711361ad157746b0a678cb37ee85de5060a35642546a967b30279d6e6664ec8c3150dc7eb4f56dddf59e463b57374668f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\00005-337121381.png

Filesize
350KB

MD5
a707683dd17fb90daa282696895da490

SHA1
408835908e40e470919a968beb6094c4a8feabec

SHA256
db5b2b5880134a602b925af003a51646a88d5c1e283c79c2c2ced0bd728849fc

SHA512
5d15aae28b4504e1bddc936ca5fe87779a78a03a1b643e1ec0ff8354fc661e334552cb576bcb273b6411e2f70cf04b5a39c5484a12b52a9de9e12e93131e9e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\00007-337121383.png

Filesize
130KB

MD5
265aac2eb683dbb8e149ec6165e4de6c

SHA1
b938b1efa91bb534ff5eb86e0fbc3082be4331ba

SHA256
02a354ec44dfa7d60d3c1c8789e1fb484e70856e6048ae158c55628678ff7c48

SHA512
1350ca27357401e27bd257555f6a6549ce99a4122ae58dc4379a93a3fe2050764ca0f9ee0379d5d9898738e01d73bc7b93545a00241b4b6cac640b36b7b2bc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\00008-337121384.png

Filesize
157KB

MD5
aad0d28b4de27a3aef192637b3db0882

SHA1
c5906549175ae21b8d5c9e9cee3a22752d9d63b1

SHA256
de0c522a871007220f171cb4da3293f81f133c6f59023f3aadf5b53ec505a48e

SHA512
3327bfa2c4a39d2a3c58b9ea1aae7fbd8cf18a5ed1287c1f070242c9cce589b7ffb5e08ea90f47b4a5da76580f7c2a82835e68aa31cb6d95623744016b0f8356

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\data2.bin

Filesize
449KB

MD5
4d59490305cc3fdaaf97268426d5ff1a

SHA1
b96444f060499135a3d5a372a248f1aebaea20bc

SHA256
cf68f8a12fa75b95c2d2ef05490e23ee4760764aa1e0bf66838efea90324b718

SHA512
a646a9265d0ef9f5c5f374b19f390771437074a8b01ebfbf8dad86ee1a3da21961c768ca184e00827ba6e579556d0e51c3507bb1994037a23b465b325f591ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\dataPicture.jpg

Filesize
74KB

MD5
79f7b41d600abaff5296a0c801f7d4cf

SHA1
c39178673e45c038b58cd486cf2e20e4f110c23a

SHA256
fd98aa4570926913f2272155702e9dac8c63da2eeb4c48202bc66bbf96137525

SHA512
79e861743a02a882df659123cff6f076d32af37299e0619adeeecb4027fbec6720a0302b2b1a9b89dcdb2e52b32c6d7171bb85a0d15afdfb96d0a797b5fbc15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\dbgeng.dll

Filesize
486KB

MD5
4412dc58383a4ec9ee9a7220af610e8b

SHA1
36d3675eeed67e346dfeedd48baf0347ab48d5aa

SHA256
cc61eb1d04003472d2f758ff28fe3ef9cacd99136b4c2c049753dc724d7cf753

SHA512
d60b8ace1649479c29a426a7e5a4b99922087361caa951d1fff000989ba690d9b4e21c0ae37e5af2a7da69d5805eda1a35dbb01437f432e44a1764a200f6ac76

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\windbg.exe

Filesize
23KB

MD5
687321eae77fc99c9670fd51e87fbfbb

SHA1
791ce2ef79eaa18494f5c90abf92e59ea95e60b6

SHA256
3d689094456bf5d6f0c38e34dec1e6bee2a14a0e35c2d658bdb952056827a67f

SHA512
ed8272267a2d727bb0c86a786be3d630c15874e82dc1cfdbda1239d8c16530d67f6a22427f1c46bf971f047c08d8f1b0943bb3951204e4eee9a69a4260d7a6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\windbg.exe

Filesize
430KB

MD5
c49f6583be8cb6f108bc2ceda1148dd0

SHA1
f0bab09677a09fa7bddcdf92edf08e8da709568a

SHA256
34cd5e542e55dc7431211708f81f34d9fa7c7785a23e6fe75b15a34c5a26e4d1

SHA512
3340f67d855091496212dbfb8cbf5031161b1d8489e5cab5ecf61deaa7bb33d1062d16690b8438250921ad82fe1fac91b367ff026ee14dff0febc47991bbdfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\msiwrapper.ini

Filesize
1KB

MD5
56610c8391ffbe7761539c169c6e524f

SHA1
8ccf2a9109be10be83f187b75055b0b09751352f

SHA256
9227bd04cd71f8c63ae4fd18699c84e64c5a2550e20ac4234dd49771424a29c0

SHA512
3a1bc650fc48b5b5d0d4d2adde8d9e01ceaa7f81431982f46f3516b5e80883021bbc988ee5762dce40a182b3472e7bc9f360bd9d1e4211dfb7b655cab30491c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\msiwrapper.ini

Filesize
370B

MD5
09a73020f855f192b59c5cc2767e0857

SHA1
521dc2d81a4f926efc99c0f0bc273ab9a94bbb9e

SHA256
cc9d59a1141e2a91a3cff1e8190583cd80a7c41fa89390ed0b614b78e6c4d737

SHA512
0ec9e3e653f200085460c754e3e459890507a7b4318dd805f4e6d66cc112cca909893e302393e04804f80217433177908b4f4d13c3c085c79ffbc25efef7a932

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\msiwrapper.ini

Filesize
1KB

MD5
7f037871aa8709d703894b9ea12c7e5f

SHA1
e4a7b6757fbba228d471c2b535d0a3ad10e73048

SHA256
74c5176c92a55f0a53cc16ea0f4c84c109f1096dae9c7c0b3251c8e4144d0ee7

SHA512
157b55886eb59daa0db35ed3782c1aad5133483a9c6cafaa788a6e4c9895b1e6e7c2ab57cac0b3a1c1f879bd59494704ccc74dc0bcd8d142f33c83607abe6db0

Download Submit
C:\Windows\Installer\MSI9963.tmp

Filesize
115KB

MD5
d731622d2a464d36848ace6dcb87251b

SHA1
75a8989bcefd7aafc29894e06e6a91116337ca4c

SHA256
2d58062897af7dba58925fa40d3050705ff093b18fa82a4edd9fdd48fb609ba6

SHA512
e3b612bc22cb8853a928f3aac60d4b547f63dc0834771461fd54e160121ed82b5abe2a7bd0f68fb33ee60b4e6410fe8ae91464f4a13a488b2b093b369babf0f4

Download Submit
C:\temp\AutoIt3.exe

Filesize
234KB

MD5
429fe5901d58f37d7c3a78b9b5d66114

SHA1
1cdc2938b320b8269744c47dbc531adb42c79693

SHA256
1b79373791ce99a8d303a8ad38bda272bc7b95af6f3eb68f21e2a190582386d6

SHA512
3d760e1c08473ef88ebe3d2f22bac941bbd80e0cd7166e0e81b1b97529396dc9b8a34c3bfacc0d3cb269b397cc4b3ac44cf6f4c97fb0395782431053a395c996

Download Submit
C:\tmpa\Autoit3.exe

Filesize
442KB

MD5
77b05f2b969488456673fab2f287b74b

SHA1
73b38f811b0a7e4b1368cf137fa7a3ea7eb9a0db

SHA256
6b1be198490848f5eac839613f6b0cd81e8fb80a17b1d0ccdc6fec341c40f35e

SHA512
46999e2cf2cb092d8bdcb77e8dad0ad987a1777c5b8bb6f97a4d1645d9bacdf1144e28f8e83184d2f1156ba4e624e9b3a42fe11014fd87d8e71faa85bf00e8ea

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
2.3MB

MD5
31c073258238b737cb2c74f4ae466af2

SHA1
083f7334b95c603c27e7aed64117346becae3a44

SHA256
6750f781f349137652fd346a606c1180f0cf739157c20436deb60e2e4971d3a9

SHA512
210be6b6865dc4fc378371e50d93720be93dd811279e4a277d80bd4e8f6aa4399cdb69daa128d7ed206794e648903bacff24d576bd3b7eae48e95793942635b4

Download Submit
\??\Volume{b4c98594-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4a36e570-44d2-42a9-b761-b1c2056b2e06}_OnDiskSnapshotProp

Filesize
5KB

MD5
700d79151d8cb5a6a686b6fc5e745458

SHA1
ddfd857dcf7c1e69959daffd268c9174fc399b53

SHA256
4567646b07f316de74f28d84a4f81900f3e455a32c6e2f9ae30d2dc6679bef38

SHA512
ebc5b283b87ce0b134cfa6abebcfa38aa6bdadb5b21eeabb6f166c97c6c1d22c8ee398e5cff6bb81322c3acd0fe1017d035ce06d11d0e4742f2f36d175679e84

Download Submit
\??\c:\temp\eekcbdk.au3

Filesize
308KB

MD5
a6021ab2ae45e51e6e8d944418b1b490

SHA1
8d2c9e67f62356eb826b2f89329156ffd37ce548

SHA256
97594b7944c6b5ff9ed9d21b352af427b056d4783d04f413a008ce6802756706

SHA512
15781c2b3bc4505684cce4638f84cff4a94d508c8d5449746d5e8d4150f0d62b7f2659abb9dfa2d63f78266e642447aa857d7bd1960030244ac78eb05bb01e58

Download Submit
\??\c:\tmpa\AutoIt3.exe

Filesize
179KB

MD5
6d84e0e4978edd6ffa124ec62c2bd81c

SHA1
91d3ba2a0ee30825823b34b1c9968720b8f3ab2f

SHA256
ab302b1164c92df9bbf05a9b5aefc10734878d7a393bcbf9b897606d5111bca9

SHA512
cde14723b6bfbb9a71734f2edac537e2654aa48c90fe4467a5f002ee1b8544a7e89496a7e258e14eb55c825e40fbdf1073184fdc1fec8960ead4d8490348eb44

Download Submit
\??\c:\tmpa\script.au3

Filesize
250KB

MD5
a89df490a4852d86b61c49dceddc5589

SHA1
215bf1efd4f60ae7688a126ce92856ab35ffc45d

SHA256
f84929ceca7f1c0b7be63efc14e98161c3e7c2371fa3634b25ee43a2be791a67

SHA512
8f9568d6af169580b6fe7533439b31dc6534a9dfffcee8d39bf4f9b80e060ec6bbb7ab1a889efe7bfa2daf137a39278da4b1e085549539ecefde0659ec194819

Download Submit
\Users\Admin\AppData\Local\Temp\MW-028bed1d-9085-4b54-94b5-ddfb7cfdcb81\files\dbgeng.dll

Filesize
471KB

MD5
8d57674e55b0b81907477d029311edad

SHA1
c89279d4e9ae1bd7e9881582aeaa0e10eba5ff3b

SHA256
e4132d5c4152072f2311d2db2c9ecdd7f0dde7c2a62af68cac80aa46f7fd59aa

SHA512
5755c0592e6fdb6d1615b4521ffa6354846b1a23ee3aeb9fa659013e9b878e39da87ff67aad137c5d51265d0daa640a09e67385d9d6d9b544fe5ea946613b22f

Download Submit
\Windows\Installer\MSI93C4.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\Windows\Installer\MSI9963.tmp

Filesize
115KB

MD5
55357631d58af8b94dbf7ed89915bf41

SHA1
499b050deb99ae937e6595327c378be760565abb

SHA256
a0c10f226dd7042f76b5fe262ae939e0c1544a4c8f433176f231ea3cfdd14266

SHA512
d42ecf9290977cb3093f4b413e9c2721220125720480ccf8038a3835a7b61a9922b6b86aebd81d8d90f2e8b7abf443b74201688ef8b7a5cbdb6f756fc675a6f0

Download Submit
memory/2496-114-0x0000000006740000-0x0000000006840000-memory.dmp

Filesize
1024KB

Download
memory/2496-119-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2732-157-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-183-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-156-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-151-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-159-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-207-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-206-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-171-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-173-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-172-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-165-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-164-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-205-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-204-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-174-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-175-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-178-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-179-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-180-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-181-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-182-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-202-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-184-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-185-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-186-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-187-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-188-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-189-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-190-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-191-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-192-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-193-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-194-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-198-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-199-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-200-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-201-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2732-203-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4212-152-0x00000000046B0000-0x00000000049DA000-memory.dmp

Filesize
3.2MB

Download
memory/4212-134-0x00000000046B0000-0x00000000049DA000-memory.dmp

Filesize
3.2MB

Download
memory/4212-132-0x0000000001960000-0x0000000001D60000-memory.dmp

Filesize
4.0MB

Download
memory/4212-148-0x00000000046B0000-0x00000000049DA000-memory.dmp

Filesize
3.2MB

Download
memory/4212-149-0x00000000046B0000-0x00000000049DA000-memory.dmp

Filesize
3.2MB

Download