cybergate | dffc05c9d596698c599d6a9bb8208f4248ee6b973fedd9e2eaea844c28e42295

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/12/2024, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Size

469KB
MD5

f1d38ec32630f06839e8b8afc676a4dc
SHA1

974a5874f81131dd48948633190ec7b52cead13c
SHA256

dffc05c9d596698c599d6a9bb8208f4248ee6b973fedd9e2eaea844c28e42295
SHA512

dd8a225e222a4c49746f443ac6df3abe44d14785a89caa812ac1dfb85f8754c2583d99b024e4fd22ba3803eaa4b6f2510fd3961cfe0fa6476f2e4d9399984556
SSDEEP

6144:8OpslclqihdBCkWYxuukP1pjSKSNVkq/MVJb8qW4JwuiNi6a+BtPgZBFOpd3cOD:8wslQTBd47GLRMTb8DywWBetYr8d3cOD

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

rebel123.zapto.org:81

Mutex

TY1NO00SLX81B7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
Svchost.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6XU1025Y-1SB3-3UAU-LK28-206R7H772J68}	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6XU1025Y-1SB3-3UAU-LK28-206R7H772J68}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6XU1025Y-1SB3-3UAU-LK28-206R7H772J68}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6XU1025Y-1SB3-3UAU-LK28-206R7H772J68}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	explorer.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b14-2.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
892	Svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
1116	explorer.exe
892	Svchost.exe
892	Svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WinDir\	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4288-12-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4288-14-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1116-77-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4288-72-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1116-184-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	explorer.exe
File opened for modification	C:\Program Files\UseBackup.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	explorer.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	explorer.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	explorer.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2976	892	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3120	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1116	explorer.exe
Token: SeRestorePrivilege	1116	explorer.exe
Token: SeBackupPrivilege	3120	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Token: SeRestorePrivilege	3120	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Token: SeDebugPrivilege	3120	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
Token: SeDebugPrivilege	3120	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
1116	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56
PID 4288 wrote to memory of 3512	4288	f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1116
- - C:\Users\Admin\AppData\Local\Temp\f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1d38ec32630f06839e8b8afc676a4dc_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
  - - C:\Windows\SysWOW64\WinDir\Svchost.exe
      "C:\Windows\system32\WinDir\Svchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 636
        5⤵
        Program crash
        
        PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 892 -ip 892
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
29278475525fcb9d6712c63d7654daab

SHA1
a5fe4fd607a65fb8e6f2738decc6fb1819e7b355

SHA256
1c5c3a47eef6e420799c014be94825a642c4211024105da7c909ded4eb3010de

SHA512
6c13b0964dcbc12ebf6868aee5f1cbb0715b33cbc55d67e1f2a7ffd31a631e14d81a8b88e60eab2a402654b5c2198c222c0ab8211d5c92eba980a553bd63dfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
593d27a8aa1b96c4f21f309ef0e0a3ab

SHA1
dea4dfee127e176dd476eb78e3edd53581b5a433

SHA256
b95c90ae587aa5e9061e71db23889f84c8ae312524ee8ab5799ca5139afc7081

SHA512
439b6fe25e6a68aedb78bc4c26b792b384076a1b37138694d97f146d3cbccb2beb6bc703498d19f1122c45f4728fab69d134985e785d81158a7e5d135258dae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1768e4c0b57dc4cdbc98034b6993cefd

SHA1
2be80afa2f82fc70b035b6facc96523fa65e8c81

SHA256
565afe79096b939bc035e8fb45fdf2dbbfca8273d3f33ad71ebd1ad3ab668572

SHA512
3f6f5f9abff8cdd730feca1f41f58c2ea18514389f11ba5bbb4c58f5ab91e1a7ee5311bc55b405a875b164ebe6827fb07daee0c2a44ef81f504835b3f63b2e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
09c7c84383c91a285bbdfd4dca47724c

SHA1
7a1aed57533e72922a9059e69a27340865ba04b7

SHA256
3b3daacdc053b454d926d84ba46a236d89936f038327dae515403aaaebddc7bc

SHA512
c032c05a5051e6ec359f4ecc1d6271f28b23151d31e96468243964b3917f656d87f8938fff7c6b7adfe33e6d51ac952ee7ca821ba48a79111c77698c36043c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
359b41b3bb1c895fba0cfc3959c59fe7

SHA1
9d424a97be4011d67ce0a0589d2369b83b2e845f

SHA256
4842b7d7e993ce16c322e215cf3a9a3f56fb2e3cac154103efbf09ca25924392

SHA512
d5c186f7c89f6b69f24e3ae058a188e78dde8a5812a6e9f82f812e395c1fa6b2cb79003cd2060cf5ffd2c73c646648f332cd0ae36edd0974aff3f08855cba2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5eaa150c9a3b3440dfb287ceadfc0009

SHA1
e70b679a664125c0cf966bdfb6fdc3a9331929be

SHA256
0000c2a6d8fca0663f050527764be5d4db42ac7377d75bdecdf975731a5a2e8e

SHA512
44997603c584a4b873df874f870149a7a01cea1059782e566ddc174a76fe25c1ffab17d6e1909eb27c8f40d188135e3169d5426d34d8938bc781669869086dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5089443cdc8cb6dcb6ce262220152803

SHA1
5030a4051c183a7950e6750fcf9d10fdb3e21479

SHA256
904f8f0b78d84bb29962ab28aafb10cafb8a0ddd91ec693ee6e6063fc98ffde0

SHA512
ee0a7b3fce20020dd6461636532f308ea660f4114db075189fa4a74df6c705ad1ef6b67ce74df043bcd9912ea20f7032c30a7f09929c73e9b7f017a5b40e1d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
905f692fa43cfb9ff3146cc205a9bd11

SHA1
ed172d48d1ba4c25af51525f727fc404c40a5523

SHA256
1cdade72ce229abef245a0a36e694b936c7090f5e717f22a9d5b38442fbedf34

SHA512
9b5be266cce088a45274b777c4df42b55daf1eacb12942321ed7030404d2d5e1fe8baa6aaccc216a37234743d167f6345f50d543b7e560ba67c34e67f36dbcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2576e5cbcc2d2bea682dc89747601b88

SHA1
b1726c03015b4e07e9e1756f7ebbea9d1b790ba3

SHA256
c8db284e9c8ea929f0cd8cc2f98b15e8a17ca331b2ae82bf8eeb0e6d72d5f4d7

SHA512
04348d99f88f259bad214cac35c819fe1d6a72956616082162502dc35a9ccdfa741b21d85b75487726e3b520adaf3384e54cc7904b802c82a7cf039ab4f03479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1666d352e104280f2a8eba8c08a4cb42

SHA1
f4d1aa436bca309cce38c70e6f68336d30cb58dc

SHA256
d3b23fb87562f17a9fc989ec76f16e5ed100a3e7f01b89889ff0e79bb14d08c3

SHA512
ff320b7f4731df54f144e81b94340d0eb0a69f5ac087170073529843fea8c476e8c6380f96acefe3560262653296d3cc9a9d1841921d65f26f0e49ebdb20f5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9d8be3b68bcd8fdaf67f89dde9b78e6a

SHA1
8e31b4228d266ad9dbb27a5cae3142f7cbd0f751

SHA256
0c26f992cda42558481c9042aa2c19a7425abd6d81e353d83d7f3eac2dbb4718

SHA512
5b0eb512c4576c5eb57b18878b7879ad38e7e4b92f23456dec786d1a2106fbb04e148ef0047276ef998650aef58175c4417009a87c79eaa6f95201cca6519fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
302ebaa99eff54c9d8098d16d18bd134

SHA1
e433a2a4da3bc9911ecf79d324d52587ebf05b64

SHA256
f6d47e64246355fbe1acc991046057dd85f1dd97b443d277707ca2a7570df26c

SHA512
afde0d38bf58be067d042a0e8bf377163b80c76ea19c74c6616703e5aa7714466eee03ab46b5b51c0ba61f09c83aa462085052256ad89886c1df3989b1c58287

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
276e0ee9a754a0f77072e69bb23d02f9

SHA1
5e52d2302b960fece92f37eca07458df48a3e8c1

SHA256
a264dba5a64435fbff6992d159b3d9bf3c0e320f9f6dde43a35534e04986abcc

SHA512
96b107a259b3532e49c058fc84f7636f03de8615dbc623fc9e0fc9d2915d96ebb0d14f611328225d624c3d449e4ba65d5f89fa5dfb53c912c10812f3305851a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1386d2a390fbd8575ef7b5941c992bb2

SHA1
b3bcd274e646e0685fe55f4970423997848054ea

SHA256
23df2fa7f8b0c1b21ff66da9bce2fb949d27e5561450d4c880904a96874f64a2

SHA512
d111ca35e5a66bbaf3b281a9ec6b869d805c420adcad86c15820edf1296ef1e5f9d4ad2223b3fb6f24327dd61b923953de38fdf0f7aa6895c51c43175e97d52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7610ee044e5efcff964ec8728ffaff6c

SHA1
0f996818e6d853f741a2a4194765fb8cd8ef69f6

SHA256
284357c86c5e5174481fdc7274c78adcf140e81c802c8f3506db78db6960cf46

SHA512
85f87f620165479e10bab0594cc93e503a587aa722dba825a188a7a0a28ec0abd38d1555f0e399ebce9ead5f562e6605fc1d9e9d5b5d5f6df296b758c7af2d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
67aa158e82580e92472826bd5871e0d7

SHA1
aab43cb18f4dd5ead3bc4e37edec713722abddce

SHA256
db77fcac317ef9c0dcc212b94ca440d462b1bc8ac4e29ae1677585d3a8c57741

SHA512
b786b0b0a908527807ba75dca3a56000efd66bdff17d6a978957761fddf50017f8b153f7d072d1d70454d4860fa4fa614322b390f4c606aee3546bcf4b522297

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ba615cf60279fdfdbebd3623f810f092

SHA1
93e87b834a3ebc455a7ef3ace6c2d469b3ca9360

SHA256
619d5c595c5eb570bd4011c766c9c24f2cd0dfbdfdbdc49806ffff5dbcd2fc5b

SHA512
290e67e37204d01c667b31ca8b550ccbca4a3cc30119570a64df79fa8a7e90d8e9dc3ea757350e458d9294da4d3e1395e23603b22211d5f577925b7ccc410002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a23a49f7cd02e338ef569d2c1b087df2

SHA1
3817b8e062cf0578f9417c203d95dc92272f77d4

SHA256
c7868af65fd38da4bd681bce86af844d1e7cad6ebfcc495686469a8c3cfe5a4e

SHA512
649d7439a34d840236f82a17c8589bb0a8a0940bef0c6e904475ba569a9e80767cebbe8aae672e94e6339b025cd00d7fce3ede560dfb23704853f8c690e3827d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
96cf2b66777957c21b3aa990ec1eb7c0

SHA1
a568392be7df98da4d99e5484b9ce07436ed44df

SHA256
d95c2a17a2daeed52f99d683723de4553b5e3aa52e4f9880e66a019ae43f8a27

SHA512
1523d05ed0a304c7b439465aec9b08acbcf0a8c134f60fc94bb5176c98d39daa726f2195a6afa3ca6d556a8c6fe350c5ba9615963d377a1f82ee5ceef267dfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
74c8827c86e07813c6294cad14cf80c9

SHA1
69e1687572f64032f0e978f62524a80bd91a3250

SHA256
f54993ddc81fef456d4a0ce8242e7357eb5cca8ad2be61e3437a36f7ef87fbb5

SHA512
1afb6b2fb620bccf870849d822f6b75475ca2f611a259462f5aca098532d6fba02353909b8b40b877aeb1a409b22db5741b08c3dd6b52c76da5ccf0972ab93d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fc987a5438ff7d1e43ac489c563af053

SHA1
9b254470cf200107db4b049ced1b2955f6b67570

SHA256
fa60d17215b353821604782537c1f68abb3e224febd26237a3d75c6acdf47eca

SHA512
35c650a1a40aa1c31a86a1c0f0bec2296a332cd90017eb640fb13404c51c9d8fcd2641cd0926501f218441141b7ab35057dfc615e2b9e02ffc0ba6df07bbb7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
21feb64268bc0c0fa31e2dd4654142f0

SHA1
340cedae8f9730628f52b793a109a59f53e8e2ce

SHA256
e4d58fd6f161a509c8ca9fc240cce0d7406d4bc3214f566fe5adef8c9c1a50cc

SHA512
effa99c00adc7d561cc3ccf74a50231a77ab0b66b11254aa4d1733242f70575d0eaa85de9692b7382ec37fce3de81cd4455b19eca56d4bc0865b2b30ac6569e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8a4015b25a9db52a169e9f0706b3588d

SHA1
5c69870ac14c1756f655a7cc9466078e2b8a630a

SHA256
761c6a435fb3a026a13b2311f2a1f021575d4a850ea012c1e395d1e433df7125

SHA512
61c455c5ec8f72e9e102431fa09ba8232079d684398943304d77fe6fd58eb4d2cfdc51b56d4c60e233b18c8ba62f82ce48c3f047c8a270b1ccabde4bda32e53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b9d14ee0825e90eb929084f9b03c7828

SHA1
2e3fea657f5dfc6a288e923224fc699617438cf1

SHA256
e1388a943cfc7d320cf677735d4275d6be30dea25332687827255f9e85b590af

SHA512
5e818893f4c3d5ea9b3ba06a7f4a560219520ea0bfb238ee089fada017d6eab5bbe9c95a9f12c4d4ab5b37e1f1b65ba6f43375dc0aaa0aa76271685cf346b830

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d79b988d5811740c2d73aa73fd71d3cd

SHA1
daa57135d246758990b597f8a8ec2c849568fac3

SHA256
4e979a0e0540996642d5ca23432a056c9360bdf466cc6f6b846dd95c22d68893

SHA512
0f09534a26485327d6bd610f52d6a0fa6bda4123f86840f0e87675e7464255f979a5816b2dd5b4692fd62951a5d625ee87e4d0aba5dd51919c7534a55b9b9926

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3c04ea065b2273c74c93005beab1a068

SHA1
9d61dc73a00c1bc88a716ec8b33422c558cc3a7e

SHA256
964383be677769222e020c12f24177cd5d7248d8519d4dbc589dc1f9439eaaf3

SHA512
fc93d7f08244e2df97a6ee0da0dccf749f7305ad2d9c08aa5a8c222195840688bc09ccc7c3add4584923850083db923b0eca4c2dc06c4d7e6a05183239ea92c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7e8791a6f587b463fcb5ffa578615b6d

SHA1
6c47c090dca2e3c6afa54162b799c78c742bc6dd

SHA256
cec02055a2a7303e907d804875e96f284553b1c69b597f629d6f4da93b021a43

SHA512
dcb8b58240f07fea437a8d4bde388a9dc99ce50db6b340d071c7008261775516ec7d58dd721b8a3e475072b1caa6656f11549ae340b4d373b6f28e5774fdf159

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
95a772f8c56bd4ade3adae3ec1c9457b

SHA1
0d428ef9606660c64c58094f8b202bd35d250e83

SHA256
d2a6465c818f2745d920645e13996087dd8aea77e1036a93235e3eec6b469807

SHA512
d954e8aabcfed1251fd019fda3a67ee57be8475e16f83e5ef300629efa04aac54bdf1c973bb9073f1a7f48959b1c4529a3e0f9e4acdde5c1f7e0fd55334b1ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7ea8dd0d0ec0c1b6154b9f32ccc29874

SHA1
eeacd9f5eb62bbb9336137897812eb145790deec

SHA256
f6de08ddbefc20cc68a8c0098b22efcd4982cb24f23a41a15dfa5119ae8b3e28

SHA512
aa588a9fd3f6565c494524f5a00ec8c861a1da45b455b4364ca5eebdf69dd83f9ad725eefa6b6e74b2fd441210e55607713bef8460634a2fa99cdaf2cc7f1e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3febc81367613110eab7c7675bb983c3

SHA1
8b3f9652a9c8246bae99ae3936b875dc857dfe1a

SHA256
67246711159a9c75643063c6ccd069d04004eaf81c8adaf580c56cdfaa4c5bb0

SHA512
943ce58dc118c2d8d50936828582714579d89474829116db153bdc9dc17c75062330bdf4a285fe56d359fba2decf095a9bf1faff38b5a42146383f54d8ad5e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d7abf4a6f726f82c34553e01623613f8

SHA1
97bfec1fb6460b8cf024001e2c5729bea54c921d

SHA256
fc6ae79f3aeb5e17d5aaa5101e991d5d70de4432d4ba4b05449d94ad0219a760

SHA512
3e3ffc46e73895ab66bd554f51635975c6d0da99a21921f630ddfeb2b2dbf30c4ad10e92e16559ff643332ac718a4ded603c865bca9721561621d49e53e97dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
05979764c5b3fc8fed333f08eb3b3bfb

SHA1
12bd612c77afc57227241f5c7fd1a58864b274fa

SHA256
183b182c5473f1bee14f6b5cb62219b83fb21a33dfb1264c9c8902707b2dc338

SHA512
508ce72de7e46869b5658efff4c2adff4c232bc0db830fa8105217ad9a531b080f3ff2d3b65d03eb25f20bc8e94284c63f8c43cd38deeff7a10397f56e5e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5f3d3a1e21a583332918443d547f4716

SHA1
fcb3e0e10b1da350ef15b5384d4dd89c2ee97a8c

SHA256
a3a4810fc81bbb45a9a05c3b67710a7dcc0cc47153eb5ee00811727c9758c590

SHA512
ccc5c6a81ac61f930591b0af46019bb47d5c6e01fceafefc04e85d78315e7ba1583e12bf4ceddc4e0a047bf5373b66967998d67230c83ae5fc3f78d865488ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fa50790f1d3c04bd1868b2ceb78badd3

SHA1
ba22b71f2e8d6d7221ab53dbeab7fec32169068d

SHA256
bdf24a68554f232b5b6d6a6df0e5defea0767e8dc2153b71ee67e5a2228d6186

SHA512
e1b5716cf7139ce20c18179fe49ef7dec4716d8b31aa75e76a35cdd1e865112383ae06124eaba38a2d7d0e6e14d321aeb31e8206c35d5cf2831b32accdcc63b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
eff7b178779191ebec5e645454029f79

SHA1
f593687511a71b285aaf4af396124b9a595fbfbf

SHA256
b175aade984da7cd26599a9de5dc6e6e11f2b833011c45d9d3892f73ca54250c

SHA512
c2bf99d7973f8f483cc7c95ac3b272363435e030af0f68b0e5d73d7deca3cdda57b2f510c0ba3711c5af368ef907ce7ab25fd4cad0cf29aba676ff46b2f1976f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1afad6129f060213eaa48a8651f178be

SHA1
685e6f145cebb157beb75f982374c11d8801e934

SHA256
3bf5bc7f0bfa11d41ab49a873694c63011a48fc0b1246ca3c4fd25abd9d63d06

SHA512
2956808a9f1562a02e20dc7142d9a44fea82c26b6ce6c98c400b45348c26c36af378a156fe2c7eac4f1d786416d2772609d56efe807312b7ad786d8998a05f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1274b4e1ebd1f7b5db50cb6b128e6648

SHA1
818296d282dabfcfde63b9e7a736463495f887f5

SHA256
5e0d28a72ed90a6f7742325eebb7fb4ce62be820404a3766781c915bd67e6178

SHA512
3e36089ae8752db42c2430dc17266ef879c663ad769da04414b298a4fc7689c7e7ef25910d4c36cba8d67534305d75a7e459b235b5029b7f967cf217649caa52

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpi9A5B.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\WinDir\Svchost.exe

Filesize
469KB

MD5
f1d38ec32630f06839e8b8afc676a4dc

SHA1
974a5874f81131dd48948633190ec7b52cead13c

SHA256
dffc05c9d596698c599d6a9bb8208f4248ee6b973fedd9e2eaea844c28e42295

SHA512
dd8a225e222a4c49746f443ac6df3abe44d14785a89caa812ac1dfb85f8754c2583d99b024e4fd22ba3803eaa4b6f2510fd3961cfe0fa6476f2e4d9399984556

Download Submit
memory/892-182-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/892-175-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/892-179-0x00000000023A0000-0x0000000002413000-memory.dmp

Filesize
460KB

Download
memory/892-183-0x00000000023A0000-0x0000000002413000-memory.dmp

Filesize
460KB

Download
memory/892-178-0x00000000023A0000-0x0000000002413000-memory.dmp

Filesize
460KB

Download
memory/1116-184-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1116-16-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1116-3657-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1116-75-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/1116-77-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1116-15-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1116-80-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3120-185-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4288-29-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4288-5-0x00000000021A0000-0x0000000002213000-memory.dmp

Filesize
460KB

Download
memory/4288-14-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4288-156-0x00000000021A0000-0x0000000002213000-memory.dmp

Filesize
460KB

Download
memory/4288-155-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4288-72-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4288-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4288-12-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download