cybergate | ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5

Analysis

max time kernel
98s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Size

4.1MB
MD5

5c2dd6e4760729c4e6ccba57e5c53dd0
SHA1

8b4f76990354a9fe16b4e8c4fe459dc9aa67b9d2
SHA256

ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5
SHA512

e479c858bb27281567ae79c9d3f7e505db72c7af49c5675fd2980d39696a82d59bcbc2c260a27f830992644f53384698e0e06bff149bd991d8f014157b98e05d
SSDEEP

98304:xUS+UpfIpZtN9DwAefvGsXjqD7+IG7Jyxz/xM3+A6nswaXzVJvV3m3:xAUWpPNBefvM7+/Org+FnGXzVJG

Score

10^/10

cybergate vítima discovery evasion persistence stealer themida trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

trufyhack.no-ip.biz:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}\StubPath = "c:\\dir\\install\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe

Executes dropped EXE 11 IoCs

pid	Process
5180	server.exe
5972	server.exe
7076	server.exe
6868	server.exe
6796	server.exe
3396	server.exe
4276	server.exe
2996	server.exe
7924	server.exe
7800	server.exe
8516	server.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	server.exe

Themida packer 42 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3252-0-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-2-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-3-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-4-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-5-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-6-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-7-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-8-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-9-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-10-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-11-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-12-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-13-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-15-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-18-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-19-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-30-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-35-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/files/0x0007000000023cd5-699.dat	themida
behavioral2/memory/5180-703-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/5436-716-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/5972-900-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/5180-1070-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/7076-1087-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/6868-1159-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/5972-1174-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/6796-1220-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/7076-1269-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/4276-1274-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/6868-1426-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/7924-1436-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/6796-1617-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/4276-1746-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/3252-1743-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/7924-1890-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/7924-2249-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/6868-3422-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/5180-3675-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/6796-3739-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/5972-3746-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/4276-3786-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral2/memory/7076-4019-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\server.exe"	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\server.exe"	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4576	7800	WerFault.exe	113
7744	2996	WerFault.exe	110
524	3396	WerFault.exe	108
3632	8516	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
5180	server.exe
5180	server.exe
5972	server.exe
5972	server.exe
7076	server.exe
7076	server.exe
6868	server.exe
6868	server.exe
6796	server.exe
6796	server.exe
4276	server.exe
4276	server.exe
7924	server.exe
7924	server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5436	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Token: SeDebugPrivilege	5436	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56
PID 3252 wrote to memory of 3488	3252	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
  "C:\Users\Admin\AppData\Local\Temp\ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:2108
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5180
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6880
    - - C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:3396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 944
        6⤵
        Program crash
        
        PID:524
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5972
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4860
    - - C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:2996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 960
        6⤵
        Program crash
        
        PID:7744
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:7076
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7604
    - - C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:8516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8516 -s 944
        6⤵
        Program crash
        
        PID:3632
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious behavior: EnumeratesProcesses
      PID:6868
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious behavior: EnumeratesProcesses
      PID:6796
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious behavior: EnumeratesProcesses
      PID:4276
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious behavior: EnumeratesProcesses
      PID:7924
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      PID:7800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 664
        5⤵
        Program crash
        
        PID:4576
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:6072
- - C:\Users\Admin\AppData\Local\Temp\ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
    "C:\Users\Admin\AppData\Local\Temp\ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5436
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:9092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7800 -ip 7800
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2996 -ip 2996
1⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3396 -ip 3396
1⤵
PID:7828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 8516 -ip 8516
1⤵
PID:8088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
7babfd6a39337edc25e0c88694f9fdd2

SHA1
8b341add4cbd722cf793a4d877ef271d0f0cd1af

SHA256
b2f74185ce0229f892d69297303bcfd3f0e653e257724c277edd0c2e3f13bb7a

SHA512
a61c8475b9c99b038d8edbc6deeb31102a8af401a1a51114f075dd9fb692298c8f4a549ccd6718a7286efd119ebcb4fb1e45c5e0566bd2a15775594d9c55f4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
ae53bc02f1bf2fdf42ca9f3a98458618

SHA1
dab590d8c8a46690d3ea964d689bb85e0d556e5f

SHA256
e91595fdf46191fdf48328541739fa6637bd9bb71561ab27dc45555750e5bd06

SHA512
6af08c23ed33d3e8dc6d7cca15237121886c80c8b6cbba9f82f3667ba5595965f1403325479cb9b7bce9beffca94b79c7ce0b11b49cb4cd7b37bc5b461850407

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eb830517637fe62b998716f61ce43cdb

SHA1
499b1becd6a994bea9d4dfe99a2290e3a285f3b6

SHA256
92a0e1eda485c4b0167e9dc445214417f55669eb097c49b6858249dea6064e25

SHA512
a73bb1826dae5cac6d423b291fead066d56937dc2744c3c551e979ff969ef29143ba4285499e80e9fe41cf0cb3ba5b830ae58359d2621f7f7a1c6a9a942d9950

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fff27603b7a0cb4580101dd29e6e347d

SHA1
698dc72c95bc26b09b49c5cdb55585b2b1a1d786

SHA256
e2b73cbbf1ad7976167d731346bbcfcc0de8ff0a83c9cac94bcb3f8bbb8c8ea1

SHA512
730e76ce97489a5ca4c6f73b6fe9291a1a1fc1afba41b9c5f5bafb728b1811467c21a0ab977a50f97467e22b40b13cb63770e83aa86d089eb0664a1ab5a78e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c355fc1399379bf46a26aecb33f497d5

SHA1
c811015322968391a0c42fcdfecf28fb69fe3adb

SHA256
02b38472d67b2738fd37126a2dec88c8134b14251bd399197899c6a82ce5dde6

SHA512
9afc9814c7520d8227d27f2388cfd277baf548d57ccbdd6d5d8460a54349a357ba573417f79317a6dd4314d26fbbbc57e57c3d5fb49dc7e9911b86c82d48e671

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1a48ea08bb3f5d47ba13f55370d0012b

SHA1
98f5a84378cfb2eed5988d6e933c7c38352afaef

SHA256
9b79e06da22097bff4d4a490e770dfe331e982291f90ac646aa70dd502ac3b08

SHA512
d1374214007856668e7bca8773226b3d67e4420da6d7f3198d834f42d8ae44acb2a85bda432a2a249e17d5eb0378e34785ec8d3d00276b8f6918a43eee1f65e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d92a3c0aeeb9553eb338b38cbd83cef0

SHA1
2fa424d6cea06eed0cf73f783617e322704d81db

SHA256
aaed111f5d590253e695542d5a873ff288f1f793857d6e8c9cb569d645be4581

SHA512
c3ede0b46c2bc9da60708c7d81eb0bc9afbe977cb56d8d49a84446ea094b7da8718b513352230494ee48e39cd2b8b039a460859d43be5984c62e80b672a2585f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
37a36518fb28d63a4c4932980ab853bf

SHA1
3545f298d933e0e68ce18beb91e9936bd123066f

SHA256
229cc6b5f04585d557e1447ae65fe32be29715aaebddc0cc63752d3266c84694

SHA512
93c976091940637a5282a447fd7035b03a9e46f37319ebd00caff4aacce31404b23415630bc25accab1792307742c16853c91f3ceb5b18e2046858ec47b7b85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a27351abcc7729f2a0df864219a6c637

SHA1
bf7f46134e5375c6ace8485f54a660d33b322876

SHA256
7939abd565c68fb7943f96b59405ca6e2371a0389962c509cb88cba5fe31978a

SHA512
35db9c5e40ad16f965815c9005863dc7ad70a59f37fff6f1c7ca3af6ff74f5d613da788686493ad20668fa98b685467acf83e3ac869865d7dd8afca957a27ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0241d5045faba8c032b1e57e251b629c

SHA1
119443483eb1008f6223b394ce162cf1b7a777b8

SHA256
a6f35a2ccbffb00d9d850be5673dbd2493c562ea153772e6fad0c7f521dc07e6

SHA512
b23cc357392841b463fbd9edf6607d14a893d613473546fdda5215bdeaad889d2afb4b620196c5bb2543e6699e9d6de3e8a38922f24887780a684962c8fd8fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
34437c6912e38b4f1746c469de96c1f7

SHA1
77e1f47495ba1d747e784c2f3d1bdf362352669e

SHA256
1b90b2dd5ecfe111376274bd41ba0ce225c2077a62033afea4eaf98fcbc90cd0

SHA512
f137598f7c8b17800cd9a38d25da16a23034efef26ad965ebd1addd05e251f781815f90606ea9ba4d1c616b3bec48873311736a3335022eaab7ba91767d65c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4dd1e4a5a9f3b990cf400e71312ab511

SHA1
c175a4062b211653047d3dc7347b1e5557d12dbb

SHA256
a333ca3afe9533b90c2db9e6eb0d115cc5e6e4b4da91bee3587362bfa5a0be1a

SHA512
0ac6d70b066717ca325f602831b397a11f790c16de64bc176cbe48b34e95a0a830d89961279755595519a8165c03b58674d22f87efb7b0101297ef1ff5d9fb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aea81ddf39fdc936ce421fa2cdecb9e7

SHA1
93fd780c277acbc05d148e2598f06f07d585ca2c

SHA256
caad8fa7a399021b125a07f618b75d1654fc3d430888d08488458dd6b620a92a

SHA512
cf18f35a936b11de2d5873f4119f15a3d3d065caa4e722c795138c14807c86f7affe6c543b9a9051c705087ce2355497f1e18f1061cc0d43383666cc44b8e406

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d936e68792b5ad7b80ba13182542a29a

SHA1
2948430c3ccea21a3f32d57739d9052e19b09898

SHA256
b452c0bf224c052629098de72000f5d5f2d6d7ad32c172fd826d392de9780089

SHA512
b957548cd0b27c981f54038e11fec492400d59ed64fde1e73322c802ea29d49c97538e7e4efa61740b9a61d7088349d125a666778cf4b8d85c3565884ba3555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c30546846f41082064f7ca17bac9bdd0

SHA1
3ea58e93e9112f93100b444d2e29d56b57847b65

SHA256
bfc7dccd8c8e360fa458511d44c6ccd12675bc8ffb8fa99ea92cd6ac60a32dc4

SHA512
006a97840981eea7ad03356c142792fd5c250fba6c33bf5c5c3c7fcceb5a28f07e3d9391d462e3bba4a6a7fe06bf82300cac7f2bfd46ee9fd99f31468325e729

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ab3395dd2acb1fe2b01cdf48c04c9f9

SHA1
8ab6ba2a11d41831d63114c7155ffa62636468fe

SHA256
992c831d394039800225a203e883e1fd32cd6d74773c1d7be37349b5b330870e

SHA512
f9c68bbaf01c9760478b02d2f3539c7b670b1e016d340ac0e8a88efc2a13440d4a7022dbe49ff39f1bcd7e36f1e96a2d5507c6b3f9cc996fa91408b22ca15a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f8dea3dba19f2679a37aa7f3c99dc49a

SHA1
a8fdf5875740995720ef3d99cde7542ea55148dc

SHA256
b727f4a201a885aea3f416ae13eef0bf7932906742065a079adb74f0ba7357d0

SHA512
76c9fc854fd8f55638a331d1468c1fdb04cfc403177d2fa2518a479c073db6ee4d0c07d8a7c044715372ecb6d51f6e025120f4fe4affcadac1a89f84a5c0b932

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5dd728deb1cff772b4183603cf770f0e

SHA1
9157bb454fa6231146fa6cbcde2afc491b5358a5

SHA256
bb14dd674ba696622382f77fd0c64edb57883e7b2bb80ac3a95e0eacebdac96b

SHA512
1ec52093fa2840484722a5ea156bcc8999982a0a68f4979f64144c9a5ada8ba5f41a25929db8b5d8f9ea93a282bc778a9288327ec8a4e82cdffa695942b42348

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
04951ee379924afe393db6013a772862

SHA1
e68a9a1a93b9aa9afb55e21a36b5fb2af4cdbea0

SHA256
80b12a6081e1db2de14eee5af6b5c69ef85e291b2b1f948f70cc2d98ed873cfb

SHA512
0c0938381ea2f6fd2bddec320024729ae4d54d18467779efb1e7b31b52d9243ee904940728e7ea5d911bca072a3f54b210acb4dd9a64c33473b4f8cde842d3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0b3bd2706dda35109cfc472c519c6b1c

SHA1
ba1a8df6313d19959feda332536fc6bd5f353512

SHA256
9db6cb6125d1ec4b09438b4a58c1874392df686b77cdad8dfcffeafd57ca7226

SHA512
cb07a0dc54862adf915deae4987f05e17bd6313f788da7f450920dada4099513507df3cea3146aa362244033071356a17340ecc64e25bbc4d735d523981aa020

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\??\c:\dir\install\install\server.exe

Filesize
4.1MB

MD5
5c2dd6e4760729c4e6ccba57e5c53dd0

SHA1
8b4f76990354a9fe16b4e8c4fe459dc9aa67b9d2

SHA256
ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5

SHA512
e479c858bb27281567ae79c9d3f7e505db72c7af49c5675fd2980d39696a82d59bcbc2c260a27f830992644f53384698e0e06bff149bd991d8f014157b98e05d

Download Submit
memory/2108-27-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2108-28-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2108-787-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/2108-697-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/3252-19-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-8-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-1-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/3252-2-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-3-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-4-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-5-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-6-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-35-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-7-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-9-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-10-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-11-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-12-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-13-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-15-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-1743-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-30-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-17-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/3252-20-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/3252-18-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3252-0-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/4276-1274-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/4276-1746-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/4276-3786-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/5180-703-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/5180-3675-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/5180-1070-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/5436-716-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/5972-900-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/5972-3746-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/5972-1174-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/6796-3739-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/6796-1220-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/6796-1617-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/6868-1426-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/6868-3422-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/6868-1159-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/7076-1269-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/7076-1087-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/7076-4019-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/7924-2249-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/7924-1436-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/7924-1890-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download