cybergate | 4322604a7b90e10d6621530703ef5efed50cf25d0352f4abc4f4450ad9d632e8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b46f60697302b15d193fd59e07ed783a.exe
Size

284KB
MD5

b46f60697302b15d193fd59e07ed783a
SHA1

b36cab7fe2d188c730b2f4c4b5cb9f97b82c2b52
SHA256

4322604a7b90e10d6621530703ef5efed50cf25d0352f4abc4f4450ad9d632e8
SHA512

5399e5112318cc01150a00c65c841c6aa1544a7f8c9d09c91f2ef008d8050a8154dc8b92871ad6fd995edd8a0d89a61b9b07246bc4804faead2a750780ab94aa
SSDEEP

6144:+k4qmwGQeh5kDYlrwnN3e74lnONWCidPddnwWi94Hc43:h9cbYElEN+NfidFVQ74

Score

10^/10

cybergate öííé persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

127.0.0.1:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b46f60697302b15d193fd59e07ed783a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	b46f60697302b15d193fd59e07ed783a.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b46f60697302b15d193fd59e07ed783a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	b46f60697302b15d193fd59e07ed783a.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart"	b46f60697302b15d193fd59e07ed783a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	b46f60697302b15d193fd59e07ed783a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	b46f60697302b15d193fd59e07ed783a.exe

Executes dropped EXE 1 IoCs

pid	Process
956	windows.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1996-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1996-4-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1996-64-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3572-69-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3572-68-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x000d0000000224e9-71.dat	upx
behavioral2/memory/4416-79-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1996-103-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4416-141-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/1996-142-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/956-388-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3572-493-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3572-494-0x0000000031C30000-0x0000000031C3D000-memory.dmp	upx
behavioral2/memory/4416-1530-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3572-1986-0x0000000031C30000-0x0000000031C3D000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	b46f60697302b15d193fd59e07ed783a.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	b46f60697302b15d193fd59e07ed783a.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\	b46f60697302b15d193fd59e07ed783a.exe
File created	\??\c:\windows\SysWOW64\microsoft\windows.exe	b46f60697302b15d193fd59e07ed783a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4944	956	WerFault.exe	98

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b46f60697302b15d193fd59e07ed783a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	b46f60697302b15d193fd59e07ed783a.exe
1996	b46f60697302b15d193fd59e07ed783a.exe
1996	b46f60697302b15d193fd59e07ed783a.exe
1996	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe
4416	b46f60697302b15d193fd59e07ed783a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4416	b46f60697302b15d193fd59e07ed783a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	b46f60697302b15d193fd59e07ed783a.exe
Token: SeDebugPrivilege	4416	b46f60697302b15d193fd59e07ed783a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1996	b46f60697302b15d193fd59e07ed783a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57
PID 1996 wrote to memory of 3504	1996	b46f60697302b15d193fd59e07ed783a.exe	57

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:808
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3096
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3836
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3920
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3984
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4068
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2864
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4396
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2828
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:564
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4940
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:4952
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:3260
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:4652
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2160
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4440
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3232
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:2448
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4268
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2948
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1840
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2544
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3680
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2576
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2600
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1840
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:4628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1236
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1556
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2060

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2820

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\b46f60697302b15d193fd59e07ed783a.exe
  "C:\Users\Admin\AppData\Local\Temp\b46f60697302b15d193fd59e07ed783a.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    PID:3572
- - C:\Users\Admin\AppData\Local\Temp\b46f60697302b15d193fd59e07ed783a.exe
    "C:\Users\Admin\AppData\Local\Temp\b46f60697302b15d193fd59e07ed783a.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
  - - C:\windows\SysWOW64\microsoft\windows.exe
      "C:\windows\system32\microsoft\windows.exe"
      4⤵
      Executes dropped EXE
      PID:956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 568
        5⤵
        Program crash
        
        PID:4944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4036

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 956 -ip 956
  2⤵
  PID:4708

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe cbbdeb0d3b620c05c9344c94f234a61d 3w55zr3g3kGSyy02aMhCog.0.1.0.0.0
1⤵
PID:3088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5096

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
40de19fc1e6dcadf95e904176b92be04

SHA1
58c7e4ec33d3f34b99548e815d8d6593635cd8b8

SHA256
60010dd76b9ae3abfb8a9617516fcab470c2019655a8ef768a62ebfec0b5f51d

SHA512
84a9a91e2d8cef463d220608013743e6e0becaccf99a8d4f30c79fce85f75bc2a53edea8b656229c5072ecc0047afcc6f24e2f2d2fe947236077bdb32c0f4fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d5fc32daed4b7698c8eaa594c22626e0

SHA1
6c7b562516c68175d8500bfe70f69cba7b3683e0

SHA256
eb1fdb499277186cd4ee4743ecaf4bf01a3d275fb0a2205949d3384511ab3718

SHA512
c53050617e58c9b52104fe0ff8da7689dce059bfb77fa599c21e8b501324998eabb8b007d61ec6e339b4976fa1a11f002b7e02878f305aa01a5de3e5b2c504b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
77bd6e11c6af9286010fe83b921f442d

SHA1
ad15d7e81801245af6297843cf3e0affd35c3c4d

SHA256
2b4896f216b4951f0a70ffb2a4b2dd6ae1d65233399d0b82fcdc66f886140e2e

SHA512
259dc1c8791dc83766b1308cdcbcd6a22f5254508202bc62cae3217a257d8c8796dde68f6669df936859c0377b3ee4ec3e73ab003b9ff199ab619670f21f4eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7e9f2a52d6893c272b55b3f715473226

SHA1
d45c749b2bc4b8bba0c52fc20c02d4c4fb8a7a30

SHA256
2fee3cf82493106cefa08723e08e1e237c78a2a5fb913915956eb018f7593f7e

SHA512
02b114f22791e800de1e9c1d41aa6d02221da23c7b2a19b95846afd41ffb88135da768b0ac43b3a0e2120a963c08df0ab8b117338db0f9426b152cfd35eaa8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1dd69291de3781e7793f0a6984fd8166

SHA1
2c3811b33d0451172a37a401ad94319e2bab5034

SHA256
d44ecc24b9b1b1c01da03f1f0eafc25384aa0d8e708acfc978dab0cd064e6fe6

SHA512
1cc649ef8681689f8071ee8e2dc6150dcc568933482683fadb641f9566a11b44d39e6fc957508e1d935309522f5f98920d470e7ce1f162047f0efae502a4687c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
64e725f16c95001ddfa5d9350737c075

SHA1
b3da266512b083245a1294351139b23bbb2291dd

SHA256
3d2e45d898b422c92adee79923122369ad743af2885fa7c1f2426e4c21b5f9b9

SHA512
0bca80f7550f56979a2139026766486112a650b2500a047b8661c5447e64828c9439002254b760ac5af4b63cad5cc36f87b4e1d58da72b2c3767d2fbf01d8965

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2bab9ebdfc42cc07c2f17cad0394ac07

SHA1
5f1f4ebf4b42af81ec7145b8561c9d6f8bc20ebb

SHA256
c222135a74653bf47b74a434015ab6d66ded7a51f23eef1f9d3e20efd55f1297

SHA512
3ca208c687e7bc636806ff979553dfb6cf4c7e1298e1d693cbfa0c7d7c5b2c7c86a9c857d3e88cc06710d2a7b274fac967bad36d3f371f6ee3240d479427bd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
36a2164f566d8570fce9ebfd5e0f230f

SHA1
2fb60628cfaad88972910dd876a3e92a37f022bd

SHA256
5b97a4689ae255ab98c4d69f456dc979660e54a25518368929d6ebc2edfb64de

SHA512
43c43817061f315bd66a7c6406071fbbf8bde9dfc3a94d2fee7db159428fcda9009d7c4f7252733279acced32babe5cabc2148244e3e6b905154afbb7891e505

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5b5f3e7fe997c74033c39fc79f80c95e

SHA1
ab28ce76df0fdb48930195723b73809056527567

SHA256
3d6392d9565c70212a457aa7b872dfdb75b54c11c409d2242ff873b65a7e1341

SHA512
623a54205843c11e26a83a3ea7d61205296e60a5abcb63a22a078b48324c63744ea7597c6930ff955faaae07415e4c32ecf6d663f9e955033960c30c83c987f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bafa9703de35ba0527fcea2cafabea0f

SHA1
85efe37e74d4e23c3d8548c4c0dc9eba529ede34

SHA256
755bb1dfa5a278a13fbc6afc379d5cb9feae8fe2b810ec68ceeae9c5d1c81104

SHA512
c237ffcbf842ca896c429d43cb6a6c040577485f88b664e13a7cb77cfd4b3f954356b236360c93c08e5a91f26565a858473e5c7e2a1cc8c0a911ae0a4e98442b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
552307541428633589a1b42b9535559d

SHA1
18ce59dbdcf5066dd8f1a34c33056a4f28ca88ac

SHA256
207c32bce808743e75b510b3b6439bd8235a2f00ece2ecbc87891ea5eae8eec5

SHA512
283618fb2f7a68ab649933f574a4a7c8710facb20a63471070802bfaf9fed29f6a5ff79b33a495a50a2a06eaa6659647c5a417ae7d1c77cc0dc14c45ca043021

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c7ee6a8855338999abe010b22e562b3e

SHA1
e7df55d6f540943f150ded14e1bd55c15593aeda

SHA256
660fb3aa31b4e41d31312e2e3ddd652d3321fe1bffbc22ee2c46bf669c4d6985

SHA512
1eb5dfe5d88b0c375c5d1417cb169ca22101a99b55e944c6ed84dbcda3cd02d66206d27ba412f6e68b7d521f2333ad342760b19bf7eb173433580b7bedd6d259

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
66300d20f602e1cae4c352f2a3e7c26c

SHA1
82cf0e5cc4acccb214f93d300c1afeb40cce80c1

SHA256
5273a408552a6b0653555f8ab95e9e2e9a452135c2afc389e8a95cd27261346d

SHA512
6571ebe98afffc536a5dce7c918649ff1d91e755e7c817852e84fa83d320ddc2bcb73fa6fdf7e854d495ef224d5f7de26de87990eeebe847ffee16131f9cd627

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1260027faad94a8f01df2f482c5fb10d

SHA1
7466064561847caf5a5a7312da629af43b8c3afd

SHA256
ab588f1694e674d7e1b409f1e4a6b9541e1f2cb2a5bbe0681d6621dd461c415e

SHA512
d69481b2e178f8c6ca27ed442156cf25acc5e9c57f27193fdc4d16d80d31aec9cfa5462f2464fd69758a805d408fa2daed8ea2755507c751acb80455197b7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c5bfcf0bcb74047170bd0cc42f3c4d16

SHA1
f209ffbdd783c30067dd6c3dae413befc2ec91bc

SHA256
a7ad76d117655769aede70f71cee2dc146ab2e743de6467559e089628e1b3bf3

SHA512
d6ea8ca64a964ee8286fee52c33b906599552e8bfd417b087b02d32eddd12e85db88ed751008a2b5a6b4def84779d673bd21e9f2998ac7c5e06a6f467a9ae277

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
66617986be64c9d2454e7a051b934575

SHA1
397c61bf634483a6b2059cb06c8bc4d2688353e1

SHA256
e8a736521036f3b1cc9ab7450f4dd83cd008352b6c4c809750434a7dbf7e3fb4

SHA512
4b8de409547fea0084344ae448eab980bccc602565674631d2d412983b837a103817cc189daa293a2b908fc3710b1e3e80ce129108b41934222bb3213230f2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bbc63468cabeea9f08f0605436537c69

SHA1
83535b32dc28d82c22c2ac5a5e39294198630ddd

SHA256
81dc63e19eac812f7073fdf00e9415a3953ce5f10cb6d986c4de640d37cfd951

SHA512
0ab55a3985cf371c0ca6cb04ae824cdafb837e7cf6d01fe61bb84741b8223fe37bf5c04d4b109afcbb6d0c82fc7a907d3c2403c08e55b5f9adb3b4172c0f9834

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
94b9ac0c43255182f28d8f7d7e5a638b

SHA1
b957ed468d1ac9551d52b6aab90bd7f8a277d2df

SHA256
410feeaef879236836933bd011c5e79bee13f7ee140c3b246ed519603d7aa4e9

SHA512
be5ee306ba6a85769741a9e426b30b6d3d5985d39d6046808f6c429affb671efe408f2877280a9b159679cd29fd6dbaa9ced107900581b03a06b5d1264269b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
51655203d4b324f3dce99f3813018b1e

SHA1
27faf908ec91c0239e9e17d7d4c16a7f57790b06

SHA256
ac245ec08199c8a7f33183f605f785dc661c9b46154ab4b868c2c152dcfc3aae

SHA512
70d69bb9f475f0b79333e3d19fa6c79d953a9b1b6906f41464dd817a0ac28c829db6a9c78b0467f0659366edb4389141226b6e10b78b7bdbfa568d68471dd127

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
11bb167699f6602a5ca928d389fa0d70

SHA1
7005af041143f4e5ee6e1949eab63068e7ff34da

SHA256
b46928252c8db729027d9b60a95ffc11197cc608408281a092b75053042cbbf0

SHA512
04794687f279fd36942c0a4d7c69354162598755751376cffe8125bf0c488fd604d40ff3a32bfef847f2eeb4c0c014b47c08863db704aca3b78911249b38807e

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\windows\SysWOW64\microsoft\windows.exe

Filesize
284KB

MD5
b46f60697302b15d193fd59e07ed783a

SHA1
b36cab7fe2d188c730b2f4c4b5cb9f97b82c2b52

SHA256
4322604a7b90e10d6621530703ef5efed50cf25d0352f4abc4f4450ad9d632e8

SHA512
5399e5112318cc01150a00c65c841c6aa1544a7f8c9d09c91f2ef008d8050a8154dc8b92871ad6fd995edd8a0d89a61b9b07246bc4804faead2a750780ab94aa

Download Submit
memory/956-388-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1996-103-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1996-4-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1996-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1996-142-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1996-64-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3572-69-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3572-67-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/3572-493-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3572-68-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3572-1986-0x0000000031C30000-0x0000000031C3D000-memory.dmp

Filesize
52KB

Download
memory/3572-8-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3572-9-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3572-494-0x0000000031C30000-0x0000000031C3D000-memory.dmp

Filesize
52KB

Download
memory/4416-1530-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4416-141-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4416-79-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download