cybergate | 1abaa961c69588ca545e4c99db4ca1608ad1ff561b5f347a9443ac1a334b65bc

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Size

344KB
MD5

fa70ad775a0edba75b6a32507181b2ce
SHA1

463437d5b036f92fe9aabcbd530b10bb81c3c962
SHA256

1abaa961c69588ca545e4c99db4ca1608ad1ff561b5f347a9443ac1a334b65bc
SHA512

a137cda7f31a15021c0076bf8838063023b464e74ce8bd8a580150a694a7605ca886984a39477b9e1d5a35eb0e485359770342e386620d02a974bba5ad815a9f
SSDEEP

6144:ldYGe6dn2u9DYRcfJyv0VYHsnHu6zkzITbKV1v37NAXsJDrPd7qgvBo6eJbqo:lOGLp2u9DBqKO6z8aK/p2K7d7qgvvKqo

Score

10^/10

cybergate binded from hf discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

binded from hf

seireiteiro.sytes.net:123

Mutex

0BPJD5O2W8HKJ4

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
microsoft
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\microsoft\\svchost.exe"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\microsoft\\svchost.exe"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}\StubPath = "C:\\Windows\\system32\\microsoft\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}\StubPath = "C:\\Windows\\system32\\microsoft\\svchost.exe Restart"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
1528	mario.exe
2100	svchost.exe
1280	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\microsoft\\svchost.exe"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\microsoft\\svchost.exe"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\microsoft\svchost.exe	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\microsoft\svchost.exe	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\microsoft\svchost.exe	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\microsoft\	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\microsoft\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 32 set thread context of 3056	32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	84
PID 2100 set thread context of 1280	2100	svchost.exe	93

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3056-3-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3056-5-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3056-7-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3056-8-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3056-11-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3056-12-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3056-32-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4496-78-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3056-149-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3120-150-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/1280-186-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4496-188-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1280-191-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3120-193-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1612	1528	WerFault.exe	88
2724	1280	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mario.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3120	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4496	explorer.exe
Token: SeRestorePrivilege	4496	explorer.exe
Token: SeBackupPrivilege	3120	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Token: SeRestorePrivilege	3120	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Token: SeDebugPrivilege	3120	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Token: SeDebugPrivilege	3120	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
3120	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
2100	svchost.exe
2100	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 3056	32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	84
PID 32 wrote to memory of 3056	32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	84
PID 32 wrote to memory of 3056	32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	84
PID 32 wrote to memory of 3056	32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	84
PID 32 wrote to memory of 3056	32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	84
PID 32 wrote to memory of 3056	32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	84
PID 32 wrote to memory of 3056	32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	84
PID 32 wrote to memory of 3056	32	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	84
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56
PID 3056 wrote to memory of 3376	3056	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:864
  - - C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\mario.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mario.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 492
        6⤵
        Program crash
        
        PID:1612
    - - C:\Windows\SysWOW64\microsoft\svchost.exe
        
        "C:\Windows\system32\microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
      - C:\Windows\SysWOW64\microsoft\svchost.exe
        
        "C:\Windows\SysWOW64\microsoft\svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 584
        7⤵
        Program crash
        
        PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1528 -ip 1528
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1280 -ip 1280
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
234KB

MD5
66005b4ca2b23e04da132214983eec07

SHA1
b8a99a63f11445a8a976cce481a0f5ec946f6501

SHA256
2e465c8f6f28e61dd1369ee4c75f77bf78574f8a4ea35fb01773a9cd93d37f46

SHA512
588e2475a94ce492b53e96342b091765aeb94f92f5e2fc7ef2f731eb8ffa82a48d60e6eaa27bdbaad9299e996226686e2f94695177a23f50479989748c3b7f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5ed34b0125bc2b30643b89449d2ea2a0

SHA1
9372755362ff4f9a81ad990eff02c9d3b83d8c3d

SHA256
d19e1265fe017d38714165f8370afab2af7329c056145a9b4dfd1eac3eac3dc1

SHA512
b4e4714944ee78c5a39a86cf7435c4935b2c1a1f5369cb068dfa6d23fa1e1304cf7310fd14ecb01be6f4b86682510b2a65357f0e55bedf3c18cc7bafe68f44dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7a038f66b1e3f28819ae272fb6a01538

SHA1
db8a3b6b97d044dfd58f81cb57e1a4a4c5093c72

SHA256
55cce3c5b7d204249b252de35e00b6696d1c661455a4e13c6813556be49b58ea

SHA512
404a16981de0541a69511b007c8788cf500558ba9321bdcb8678559a82c9c04b59b4d815e73241d2c5027b60c236270a7ab2cb6fda398c47ab64f65051d0b1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
10f843023b143beb8bc5c45d8db1bf79

SHA1
14572670fdeedc4fe3508a800b9be9e43859dc46

SHA256
f57bfdb02a658ad2042e416e78ff276e21ce7acae7a54479e6edb183921a65b3

SHA512
eb89ceed396fd89a8cab17b8a8db9c48a9f5152e662140bf3f1f3e96a5992586f124738516b24cf6d686989dab20d29a899ccb3020cbea7c68fc7c526a81c943

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a73f6e3c22214b73ed6e65e35323eabb

SHA1
2588f9b73dc7f381eb851c9ae4813de1b5fe8bf2

SHA256
7a9f17e8da3dbf94d8c3e6af08fb4867606594f50c90fbaab53ab63b87ebd66b

SHA512
7b5d9e611a02d70caae9544f529917630bf2e26ce2fbdf1ede0b049180f504db31c6bc7c3e01d71a7dc44941d9002da2db243f36afbb24bfe371e85d2fb2bb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e9c1655d479ef70a22da8ba0395c71ec

SHA1
be8ebafde90a1344de4a2c0855f3f2dfa0d767c4

SHA256
4875352a63c788b84f220d5574798c030966ec7a0d4fb6fb9960a367b2fe63de

SHA512
d556162c138cd540f87cc5c620cb845341b59156a5a8bf0a4dcbc24614b3e92754aedb4055e2cc0a6c3b0a58be258665808b7dca3b3ae813989c791ef834d3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ba64113af1be6cff02843f1e7e98bc19

SHA1
c2634749344ebce7fbe7cc8f31b80cb382269fbd

SHA256
935ce105b4202f3594affbdb28943da7db283eed83a29dc2798121ba6fe0d84e

SHA512
cdbd029a35a1c13dda948a8e4c71cb42aa2d750229e673879589ae0019366cbc0bd36fe693eb330ff56e784c282a216603b3f23c8e9fedda959f53a8065f2bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f474d7d8af240140259ff12ca9c7e22d

SHA1
1bb8e570484f491deaf146547fa22a89983ec338

SHA256
7be92bb3a5c2d4d6aa6c55d2efb76178a870c330545a24938917b97bd16801cf

SHA512
796be5436b51f7f15d8d972e0aa82f9130c2334ca76bea626f5f156f93cf5d5a21e8e118d7d2a5d54ef833ea9f31905cf4dcfe5335896629059904b7ee169159

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8654a92ff35b84325e3f77e262247c35

SHA1
406a35c9c0c4f8fb1d1161964d08e88b5ece8411

SHA256
8043d0b6735a4c95c098a0e0d3f396a4287b89421baf83ed466459740ef11937

SHA512
2fa1a64f699a5375c56a02e6b226874b92c14a1a45e198c2eb2dcc3b753ceaefe7f37fc09d9aaa95af49bc576d764c1472f69c9829506ebab8aea4ba74916cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
afe02c8ba03178d93004d10a2e337760

SHA1
ab4ee997dbebb0a25daf3923d9201a994c91e655

SHA256
7d84823b83aee139d1a7ab2b071572092ff199c8bd06782e31ee990926138312

SHA512
a3848f45fe04b295a0f667530b7350ad669583d21d73e9f10d5672b9eb6b866104ae71fd2feffafd7c206d3482ef779311174c7e7c107e396e23898e337b4c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a673d3f25c5df8100b1df25815014a62

SHA1
bb44cf4dcb1875782bec029d0fac2c9406f2a897

SHA256
79ef3e1a7f19cad97c7dee7cee18e40b2596908a2579456b59e357209566ba96

SHA512
d638e8d486eb8da076ea224963328ff34bffa68c0ad492d1951a5455c1021e6c80be68ae34310a7bc5950a8ff30b562a67af44102411e12b9633291357efb768

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bf68a89b7b4b9690cf373203ff08721a

SHA1
691ecb09f6c8b807b4f82d4a8df4bbbb9aa50ed8

SHA256
40f1ca93d1ee0c4ca2a8feab4e4f875010bba74f1bcdf3d19a2839fef3db271d

SHA512
ba080e72bcdd58b2f2b15c107b8470ff5a875fdd4f88cd593048bfa9b4c8aa4d5c73baa5057fc1e1c1942e8895a1224b2830add9094b3535a8b83d41922f9a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4384b3e3760efa90d8d67674ea9b0724

SHA1
34ce667d68db2a77cfaa2efd9cc05f777639110f

SHA256
33006a5135974698085dc860bf9de8ff3d053f9e14c010ec69811f8f4082f903

SHA512
68de2172b81b5067511b6230732931c030db59f14a29c25d6be5827be8ea25432d57c6a2f3315df1f5b67559e270e870fc46cc87d23d2ce58e83a705cbc1903f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cf0c58736239f6d0a025e584f8b19808

SHA1
5171472600f08db43bedd1367834c97b7beffd4c

SHA256
32826b676829077ee6e7bbb083e6a01a9e500074645670616d89964ccf70040d

SHA512
4746f6f9125c68432474e1a2f59a2e584900ddc16948c2cb9216244f23a0ee0b7cf5e3a6b97aa3381c7463f02d129f80162d49a0f3e801de28eccff881005717

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ef3b4d1243127d1fbc9c15ef0f84958a

SHA1
b649cfd2cb21c48c0dcc8eb959ee88ec1f1649be

SHA256
edfd140d76cf22fce827b397fc0847c05b04b1452a9f118a5da83959ca6d83ef

SHA512
f4bc1d09b6a1b5fd27c4a4464f5c68cb04e8f363fbca18de9845330497e1fc6c24b6962ba85ab13a0e5ba79fe1ab31d175c18870ee3878555ca14582abdb5c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
58ad6aee3cb22b7fc274e82e130d709f

SHA1
b898b09615668c15f1fe7a9ac557b4fa284ea7f2

SHA256
bdfedf0c8ac2f6b34eb50e78f4bda10d12ed98c38ee000b479ea0f39b2f99789

SHA512
ae2de5d6fe2322227a9add6cff500e0e8ace611aff7936df5a723a740351ea95900d0ce9c80ccb75a6a416175947911109533708728ff474817568674f107df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c9e2228f81ebc5a2f5271f8d1b0ff510

SHA1
11f921e52441915cc12dfc0903e0491aa076292e

SHA256
64f60e591e3fd2f200af31b65aa96d56ce38d382b7d4757a7b0664c87601471c

SHA512
e20462529953d52f86e39f4a606ede8370a3722dd24e2151392897daa9c544b59235428e53f4845eaca4b84ea4608b72a69493a148d6072cd2685951326d6d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2e337e0406446800ec99fd3619734d11

SHA1
3100e5e05ccf22f407c020962295cda9b4a7ad89

SHA256
2e1728b5ff1f45f2de2ff9c3fe57c7b0491631be5666162896a7577021977c9c

SHA512
fc04373f1313591dd2d12fecfdaeeee63e054a28635ec3e3085dcb12e42eba7736f3987553e4039f7a1192b896af33bf9923d35921d4fef3cafe2d0c871d8bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4ea28bb4817c01262733a20f0d5448ec

SHA1
6a0df7555485031b10875c3649acaa8fb7da7bac

SHA256
8f986134aa8f65e8a5f8384ba1a8f4435f73a95cd0d5da35f99f1f44b2d4bac2

SHA512
6336c75ab9a2188d5ae49a8c0b5a6d6bf3a677fe393c1e963d379b15884f4ef4fe83f8a85661ecd524f305e033a04e8ec01ae12c20c9d01267d8f41543e7d398

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
db81b7061eaa73b9b821f3c3b4ec1e92

SHA1
8674888e34d1c2d353613f21b1368799d7200e7e

SHA256
a9c5ab6be115a98aca4ee5cc6f9018ff119138e139e27bc549f3f553f262b45f

SHA512
2bc8507ac228568dd5b58f074a6e93250ac8e17c6d741da3bce58d346e59b08c9603e0c840f3a1e942fda8399321d4bb02d2eb9450ea8c302e6c53876865a234

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e0aef62cf29f2ced00037f9be75cd2a8

SHA1
36606758fd2a35952b4d26123a63d71dd03a2e45

SHA256
2b2f4613675217a8b5979f5f03a992b4778b5aaefe371e14bbc0505bb4768f97

SHA512
502e7532f566375a7119a36a65d98dd379e0e57d87f23f1d301bfe6ca25d64bbd01cf2d9ad3741fabbaf73c0103ff083556600cf6657a6a07a8744231a2be812

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3d18c8caa1a54fe3465c233936cf399d

SHA1
28b2fe94007a7ffe341848267f6d2ec2c7dbe2ac

SHA256
e1a50ba818f3c47786730305da42d1be86462c27199ff5b2675e44cd897f18c4

SHA512
e9338554bba40656140b2c6c87c9d3b462e51d5098565865900ac4c27a4a46016c4d19e1438d6276513cc0981e55266c3bf0d13f9a26ce78036741bec2aee181

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4b2e015ba119bbbaa231b2282e4fafeb

SHA1
a9cc1a1fd1d299e4651609883d43a7ca473b5322

SHA256
31171a79599deb00e6d19287825eb8d2d3f58850c11ceffe9d184ff938ab3a16

SHA512
fcab5d25a8023b3ec4a85b271370d49de935503dc35cf3230a846400309fd5161271c90750373f33312fd1b852350e0c904e6ff41c62337a5264ded6eaa90b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6b6e5e653892ede1096b2adf52f4e92a

SHA1
ac7e857cba40cfe883a7f5992bdac4e8af778379

SHA256
8598b4565ff994a320bd434fed72020b922a86cfd6efeed573c8850a6204d32e

SHA512
6a3901ced542ec8c8b02a6bf568d8f76d7a84cf3a932bbe56427a28abfa195724384a75d2a497c190b627652cb0068c3700d33bc8b495d9b82a1294128092237

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1517031627b0c2b31f9147ea2f3a04db

SHA1
085930bdaaed33ffff23507d4631044fd216e768

SHA256
7afd850ac18a9cbfcb6162889a5b6c0aca404ba364e4f071c3428615ba273cc7

SHA512
84e4402c9a82680a607a7a92ee9ea41d4f259286f41ab2595e6defd66b56e82e8ec7ed0ff070fda577a16591f32040c1a49fe2fab2220eea59f57a6ff9b088c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
882b7242fd35cc5aec6cbd05b99a5e74

SHA1
0198545c981adced2d29a91a728daa2b3ca677aa

SHA256
7c5b0794f47a6edec48acda0829553bf078e7b97a2915af329f84dba265be4c2

SHA512
5aedfd8540c50e7324d2fc49851a5738150f997923b6c456d90094efedd560a1eb3cb9b2677f4aecb0ca16db3f10cff7f617070e7d9d93028ce5190a780937be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d789386e724f280af809cc96ea6bbf8c

SHA1
2e4b75e5ad6c0cea3a887acdd0f0a9f64b260ed3

SHA256
14182006825ae22bc7d4cec57b6f63f6dcaa8dbf26cc143303138733342ea204

SHA512
387f0d124a0e0cf1e3b14e286ce40f52f4b723a317480198c6c644efd9dc40a674904f130244b535252993f719fa0dea5873e9ae3a5459be00e2a962ea0026ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5d69fee2fc252246adef574ed10969ce

SHA1
c7d8471d5c052825fcd0f66033a1b35e666ec443

SHA256
7d07fdb461eed1f736a97905311e676f0516947ce193b10f459fc6a524ae1e45

SHA512
43a2bc5634b7e07d6329dd599a4269f616723feca61ba51a237e165aa3dae5dff41ca8d682e9f7d90d97967d689ef26878477d9b6a8ce2717eef3bcf53047d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1cf47d381f86e834470971abd1061507

SHA1
17edcbf123c48ed68846c816a853d5309f61df3e

SHA256
d823415f83ebc2a3b0d50ea2b2af0259d82676f303dc4173030d77a3b52e0a7e

SHA512
7b8fee89f3957f9200b7f653aa40f59bdd5af36119b89b68f05773163ba33c28ac85e9900cf94f4c427391428cac7787b22b8113ff94cba68c68eff3a184f1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f4d12318d6b866346661a1354740cda3

SHA1
f53c0c8e1433756894ea7dfe98fdbfba370df94e

SHA256
969b9dcf08c93c7716afd54844d5e592e5274fca1aa4c3596ccd93c6d199327c

SHA512
e176055619bdc8bdc9fb7f2dfd215b51740828b102c2739c8eba6c2288082770f58fca73937324be2b2c7f0f4fc30151e67fa0a5836ae89d23dd2e042fbc2c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5834923211fb138ea5ef66e08cac1430

SHA1
ecee504e559d89c5614ff62cbc6b1c824b672c55

SHA256
d86037e48c6ab3bbb98b3bfd63d5aa88b882f1c9c2693332d0c4d867937e2da9

SHA512
f069236b9b3fbe4bea50d893fa95657c511d938efcfb139343732c07dde041ce62b6f3a490b39aa27f84f67467aa47a5a366a13d4c18542fa254f6ac33ad7a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e5f077f6c84680ffe05d4b0be716e569

SHA1
ec69cc0db16b4be558bc6e51aadc1973db00ea9e

SHA256
ee814e4c6e3a2c6433af7c35e3dfa33cd8c1db94b3bc3112d086bec257b1e61e

SHA512
02285ebc98460d4d11830a2ced980947f1ba251384f15084c75798f54d2a2fc347ef0c6668c1f54c1ed177d6266d908c9038da07581dbad6a888b33250fe3355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1badbcbe978220b3346d53e36fa24758

SHA1
6e7c1c26405633fc36b3e0094592fb46ffc8c246

SHA256
c318b60f0c092e920a3fda7b91766bb56686f6ce1fd03900f8bf8ea8660a5a99

SHA512
a0b1c89dc0746c73cfb9efed051338665a47252fcba5b4058ccf095db6e6cff34b71cb5e1481cba43a6813af68798cf235599d3424204d4bb497b987cadc3f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
716b815fccc534c9b1f7d3221fd978d3

SHA1
56a5e40438796a467281cb1111cba5df484ae6ce

SHA256
f86b1f730b7c49b6c4af217c6a50f428cfdc07e6aab7d9e46abc8240d93bb9e0

SHA512
8bcb4e8c9099abc7307f6561e45c6e9b475dd9db62bc1ba413a7657c36da946fa93d77bdd4e17575a3b82e587f31bd02b5bca32bcdae67659add26c809219376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dd918645cd8816a85b3bebcdf61a7201

SHA1
967226be93729da61b6945e5de1704ec392a33b3

SHA256
ec08fb556c4affedd0d7a4ec1ed57a0d5323dffc9f7a924de38735f121a62f77

SHA512
68844a22fde89d5d1cbe6ca6018e0faa419d748eae42cd6584624a7a411ac497e415eddfbde8ea742026d6722bd7c8984c02f1ca925b4d65c5d01bb1f578531d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b79f9141ff8c89ee53e7708b84678b12

SHA1
b0076144c0c04dab00de83975048d89794479cc5

SHA256
c91f1a919202194771e3ffabbe7efb7fbf50f4e875da00b06bffeb27e33e0081

SHA512
bcccf2d5a1f94d58e00899b09692f936484d4c0a0931a7d110fcfe43b4a6bec8a848cde5c73320a01f36884d46cdf5f2ab2af40bee71d89e9a5345711265d094

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e20ba25918900c2ef8c0bb3e2d7f7bf5

SHA1
66c7a6dbee3ed45f04a2da43f8f9d2f8dab97091

SHA256
88fdbfc409f09bbf0b34b8a7392382cbc880588ef12204e9ec3e92b27e422a7a

SHA512
2d73bd7c5e1202caab27fd745874d4a44be2e65d1f6cdf28df9959c437ec1f32d90cad85396c8f19631a9e447298e1ab8f2a2bd70c8b4ba26e88c69c0fb754da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7b5a1174b2946599dffe7f059b855973

SHA1
cdee2b5c60892f976fd758e770fc57c1c2c8e8b1

SHA256
31733a914e8f84e4d1e532a04c285381504f69852dde81d1121dd13bf2fec6a3

SHA512
834d3f73a563e047269c8fd8b7b50c80906442206b08e3e62c40dbeb330c15edd7913bf60412453c98e40ada380aff83b8adc7f96bc4ce5fc35bd673dd530bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mario.exe

Filesize
9KB

MD5
a97e253bcab27df8af63e387816fb38a

SHA1
1ea5bafa644e842a7bf29c616ec39ba14757397e

SHA256
b3cad04ce2fb5c14230f864f1af859326115a68abecebbda3fb59d9dc280a936

SHA512
5917d91c3854eaa6eb6ff448d7fea8894c87c9f2bbc04822bdf67bc1fe19fd9add76b11ded62f82eb1c1ed654fe82a8ff5d576da47bc0c9311a8b8dcdc6b44bb

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\microsoft\svchost.exe

Filesize
344KB

MD5
fa70ad775a0edba75b6a32507181b2ce

SHA1
463437d5b036f92fe9aabcbd530b10bb81c3c962

SHA256
1abaa961c69588ca545e4c99db4ca1608ad1ff561b5f347a9443ac1a334b65bc

SHA512
a137cda7f31a15021c0076bf8838063023b464e74ce8bd8a580150a694a7605ca886984a39477b9e1d5a35eb0e485359770342e386620d02a974bba5ad815a9f

Download Submit
memory/32-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/32-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1280-186-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1280-191-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2100-182-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3056-8-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3056-7-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3056-149-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3056-32-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3056-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3056-5-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3056-12-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3056-11-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3120-193-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/3120-150-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/3120-192-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4496-78-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4496-188-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4496-17-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/4496-16-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download