cybergate | b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863

Analysis

max time kernel
118s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
Size

523KB
MD5

06163bd1b2b0b3c902cb116c080075f0
SHA1

a16e13b5bb9f7affdaf2043a292ddd6807674890
SHA256

b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863
SHA512

9e577539dfdac3dad121d6dc06ac4cdfebfbe1a60635f187d85b6fddb708b10c910625a3d82b0064081ade40ed7561377bd4974ef363e1aa77f532c2dc83fc2e
SSDEEP

6144:MOE4/lAmXcM3jw6LX3mAta9gjTOIeKyO6Jii0dgMIymrII2HeIh6lanDAcZoTBdR:MPPgj5eK8snmcwINAF/

Score

10^/10

cybergate 21 april new discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

21 April new

priyagoshi.no-ip.org:81

Mutex

PJ13A27C2XP0C1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
data
install_file
repair.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
celebrity
regkey_hkcu
HKCUEEEE
regkey_hklm
HKLMEEEE

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\Repair\\Microsoft\\data\\repair.exe"	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\Repair\\Microsoft\\data\\repair.exe"	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OD4407XS-KQN3-P6MP-6STT-W23028YJ5085}	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OD4407XS-KQN3-P6MP-6STT-W23028YJ5085}\StubPath = "c:\\Repair\\Microsoft\\data\\repair.exe Restart"	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OD4407XS-KQN3-P6MP-6STT-W23028YJ5085}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OD4407XS-KQN3-P6MP-6STT-W23028YJ5085}\StubPath = "c:\\Repair\\Microsoft\\data\\repair.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe

Deletes itself 1 IoCs

pid	Process
1656	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
4512	repair.exe
412	repair.exe
804	repair.exe
5108	repair.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLMEEEE = "c:\\Repair\\Microsoft\\data\\repair.exe"	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCUEEEE = "c:\\Repair\\Microsoft\\data\\repair.exe"	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 4512 set thread context of 412	4512	repair.exe	86
PID 804 set thread context of 5108	804	repair.exe	91

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2108-0-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/2108-6-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/640-10-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/640-14-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3508-77-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-79.dat	upx
behavioral2/memory/1656-142-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/4512-169-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/804-176-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/3508-179-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1656-180-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4068	412	WerFault.exe	86
3412	5108	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	repair.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	repair.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	repair.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1656	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	3508	explorer.exe
Token: SeRestorePrivilege	3508	explorer.exe
Token: SeBackupPrivilege	1656	explorer.exe
Token: SeRestorePrivilege	1656	explorer.exe
Token: SeDebugPrivilege	1656	explorer.exe
Token: SeDebugPrivilege	1656	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
4512	repair.exe
804	repair.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 2108 wrote to memory of 640	2108	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	82
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56
PID 640 wrote to memory of 3524	640	b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
  "C:\Users\Admin\AppData\Local\Temp\b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe
    "C:\Users\Admin\AppData\Local\Temp\b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863N.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3508
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1656
    - - C:\Repair\Microsoft\data\repair.exe
        
        "C:\Repair\Microsoft\data\repair.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:804
      - C:\Repair\Microsoft\data\repair.exe
        
        "C:\Repair\Microsoft\data\repair.exe"
        6⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 548
        7⤵
        Program crash
        
        PID:3412
  - - C:\Repair\Microsoft\data\repair.exe
      "C:\Repair\Microsoft\data\repair.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4512
    - - C:\Repair\Microsoft\data\repair.exe
        
        "C:\Repair\Microsoft\data\repair.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:412
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 548
        6⤵
        Program crash
        
        PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 412 -ip 412
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5108 -ip 5108
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
523bf1fbdad811a2cbf224a3ce126b69

SHA1
59e8a831c62379d7627e124607aaf06e4e459e1a

SHA256
fd18d36d39fb87bf1803f64337965d6d558fe459feef1b8087aa01cb3e9e6ca8

SHA512
2b670f720d725f8471300e520c40a55482c8e43bd0512ecd3df099ce8d876a6faa5a75075321d376a6a778b5f1ab9af0ab91c2210f209f6cd2531cf90ce160b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9dadb70b617bb803b51189d2ff587696

SHA1
81ec1d59c70dd29e92ff830954bc35b16c039d81

SHA256
26240fade03097df90968c7e1750de7165a938686275375219cef0f57cb87353

SHA512
064943762b7d37ca67421ba5289ef169b6a34bf1fd48f6ea338850c0f6481a96edc69f81398ee6490c516360ddc8e75c11e8ee6e00474b9b8d43568c9ac5c670

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5ec1776b784bfb6ac79d24a4479219aa

SHA1
394cae4431c9bff97c1738baa18469f0d0363191

SHA256
4895e66c5f0984484fbea0d9a1a1f64a04c944c71ba64aff21914f205bb6a129

SHA512
69631f37a3485f419a406552d3ae4ee9d12c8d87317bbb01617910ebfee3b324c147ca02377607ea4a60475ab36e7debfa846850f27a33b095c5633a33e718ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8ae9082571ce92001ca43703d88e4041

SHA1
b0726ac37f03e1b400880903cc614f3097a71e21

SHA256
218ee6efa2e6647e9f910ae29b1a8ac2ff9b016eb33aa8b0084650fe6b304311

SHA512
8a838e4c9adf934a8324d55c265df4df0caef70bf6b6ad4bbc225a11ea87a7bb97609da5634ea17df0fff66033d8f3c69f450dedc28abb831a5d3136934a45c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c6e8cc80b3eb095b6ab91981af2ec2f6

SHA1
9c68a9ff609a567479da90614fd2c30b9a270299

SHA256
f0b9b16bb6ead3689dbea9840d78b85f78a1d63f3a9924af2b35213fc95c6aca

SHA512
1baac3fa72a99429921810e06c6b085763c31347a37d188e7f5990bddcc425a75bc6174ece647e4e7ab2fa8fcb7862a18f11a74368d2d8a8715032c8efbc3a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
97db8eb410ff66ab8d8a69aece2ceb87

SHA1
e5b1a2eb0ef134d91e1a56f05d69ceb1adf1449e

SHA256
23e5617911f730b7b1dad53c721fd7bf3c4b9404e9775e5ca8109696ccbab42c

SHA512
12e88baaba63c2f4333f0ba5a95e1248306648b76e8d6e2ca5c7db329404ff4d196eddd3b18a8a7e5102957141a146aa6b87bab973af1e67ca1aeee38a63a07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a970cce37f867fc2743f269491082db7

SHA1
61150d2025a84c13dcc1a41c3241cc60cc2882bd

SHA256
2c1ad4f7060518eddc6de8d36579a83c8590725a3929e066d3df5ac165f50aeb

SHA512
30324cc11955f9eda443b8d6a1268dee04e51ea2e8fd5113d4dabb0fb7fb625a83280064e9ab874778d4db96bfcabe2a8e362d49cb8e2ba8c92b57f05411fc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b99512d57c3212d50a22223dffc9262b

SHA1
e30ecaef62ae2eb042247721afe093c80f92eaeb

SHA256
8fbe47100d0ef1114f7dbd4c1e5cdb35bd9cdae0e09480f6315185cefcadac31

SHA512
0aa1dcb6f98e3ed42b33d8b421c0d781a27a3a9cac20d3e08cea1324ff7d8cee543266d66f7776b127a4f1c7bee4bd6939e87d7281654f1fbdb285b72d9b75c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dd1fcda5f05a84cec6ba1b4b53bd9ea9

SHA1
57aae01608507841b5c548770fb1c7af583e0ca8

SHA256
184f98c6952bedeb9a323b0120fe74641f088e8d73605bf009e808f52be35fb6

SHA512
f29209d2ecf0e5fdc7b6583f5b4a196fec4f6bcc43f4266383ea0ed438089fefbbf82b97ac750de62ac32ffd7cf5a635c409aad56d2f3ffa52dcac5c618b023c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bbc4fd812da5e54d9711a5813d5f2352

SHA1
8b50d04c47c397bcdab79ac541fe273752d75d65

SHA256
9f108a575a19878e43c5241c9ae005a2e8767876afad6cba4cfaa43fd9a41ea9

SHA512
efdd9886aabb72cab4c2863896f9a46a95747cf09318d831952660d2b0c0a428bb1b959cabaa0b1f31687d0625cd86a35fbe43cd31ccc88a5b155985a44dd842

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7784bd99f025e4a4767b056ce33dd807

SHA1
86ca4043dd470e67abe49a96b97d0fb0ac11e8d5

SHA256
924ed4096d0bb3be075774f091ec0b748274947f6b49af031a7578ed0156a1a0

SHA512
38f8314bfee795dcadbcdb60cb87e83287f6e350972c92ec5bee2e5ab29d97dd217eababe410543518db195a97518a26c1bb5e8fdca3386456221a1731ecd486

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9e25ffd8665ee88f79bea7f6e2ccdc64

SHA1
f0dd77afef8de8a9ce31544225cec39c24b49ed6

SHA256
336215f94032dee8cd0fc7f0729649153a75490dfe03221a6117534ba4c31b60

SHA512
9ef5310120bc9129921e1e57f5ed53cd1016632c03e9d3d7bb1a1e7a10e24826df73f5243b1624c4a4d0ddcee49268ed429353e7fa21c1226f5f0157fca0b090

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
04aba1f5420ea48b35351a21cc52c918

SHA1
63be1eaf2584b0c9783c9cd284a29884b787647f

SHA256
476b52167ba7cc29a13f5e12c9c441602c2359e982783c208cb0c242735eb4aa

SHA512
71866121a5fc9b5b2467059cde1692a3a92faf47d172281eceae8e57321fa7d583971bc23b4a04e8b427dc767a38f993d87707e991749706bbee21bc54c3716c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
246a24899e4c12face9bfab39abc26fc

SHA1
a1287f96c29c2dfa83aa23fa307c6beb72ff921d

SHA256
82b61294405915a367f17ca429f4b7b8cccf98fbaca68468be0fad02145f0fe7

SHA512
16358afdd16384ed9fdbbcc9338327f20506736247e10f395bdc787a4bc34e3b688a431d0c5500070f0dabc2655f8637105872f8d442665a34c6e094c0dce6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d83debd9b0edb5918604af3053104b32

SHA1
8b98cf2051ffc3a40d0c5f447e689f6065147c24

SHA256
67ccd52ec22fac8ef62a1b44525eaf7054d54f99c1186d12d310eb82939bfe6d

SHA512
099001bbf430a86b65c595cd02eb19adb4651b1837debcd880b7e0ecedc6e3c99a87a6819d5ccf48861cc1449e250d1c4007543c2751dbdd85e7979eb356d22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
671348a63c015f240975e02faaab929f

SHA1
51af291846aa9c8a86ec2492fdf464626f7e9ea8

SHA256
d6d24e332e8a5e66c87ed3ed5590b44dad723ee79d8848a4f15b58baec345d30

SHA512
cf74bb677523091c0d4c60b6e98394de4d840157b98feed98a14471d122b1b521f41a9c12b727c49742711e56c414a54cb067aed4f16e1a5d02e005d4d9c0fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
58b1bacb0f86cede1cb771fdfcd00d36

SHA1
e26b50ea303b3076a86bdd958319731b84917c59

SHA256
5f7156322d9faeff2f6a5b667774f268781a08be64e8380d7ad1d714d2360f18

SHA512
9c71d6553eba3b0ace833d04796c586adec23d9f92ae801c81204ef72d777960e848468ba31b790ca80b4d08b12e0b971148ea1b524b4e2c02852823196ba123

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b6a1b2ae2f0eeeb7e1b921cde973c662

SHA1
56ca5ad6f86ce93e42695ee436cc24a5776cee52

SHA256
8bf0f0bbaf1f0928fb0f265a4b109d4a4a84094e827560321235fac2dc57bcf4

SHA512
95e9bdf6a8505fe0d73a68f052dd14910c067cf542453124eabad9b6eed5750a4f508ce19816804dfbfa1564f596f2d0922483758b62e838eda8ce9676c03b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
691209c9fc81c9cb23e3836a4d39bf40

SHA1
8b92c3a4ad23ef115415398ad2c3869c8b9819d2

SHA256
bd19a4aa6dca657f2fa57983f7139d5b0e19c3aa7a08390d119321dcecf930c8

SHA512
b669f7158f4802b0a308fa611300c8a2e1412f7218ecb69e857728751ed0a43832e2735e68016925e685e1d4bbe88be399bb2062b4e022b77e5ac094fa718599

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b13590780bbc0150d8030218bfc8c586

SHA1
9d7e984651c88627a5f4b328007914e5ad3bc4ff

SHA256
54017d4b3821af26b27cb0f8c094991c0e239db3dc17e0c2822bb16ba6035efd

SHA512
7e5e72ee56b169afea4beb96a451ff6fb77769c88be897f4f48e29e22227af6eb9f52b6d04aa5e76e005d8b7ee3738255a964858c6a34353c07e0d70742496a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
02095a1f9423b77f4ce4e75d3c83defb

SHA1
51da7d5863f6f596f520d5dfc4e388fb73fbf128

SHA256
239e9b0299ab7c270ea79a382663537548903c0607b7df948eda71a6a3afb78a

SHA512
7ef93fc6be2546421950d667fbd7166c7d862958ec6403d112a31ccf74f6254f74394a5cf4705336209ab01a343c5215d486e3accb220e2232335f30d352a3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b5cca3df7e16d60a84fa7cad4dfe987c

SHA1
53615f800da75e492d406563f1c914c886a111dd

SHA256
9b3ae0599b4720b3072ec79c80bd1124af79b4b4fca7528240189415721125f4

SHA512
de1a417202000f00a3ba18fbc51c4b1548bfb04970d17df3aeb67c37d8da2f99ad39868cd7f3c9265a48e4aa459249bc23fe8bbd4c67ee7606c4bff5e898560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0e73009ee17c2bbfa617580ca9ac9606

SHA1
fe833c5f989de29549394073a488ca8fbc594915

SHA256
48003ee9fd186bbf2a1c97e6138c242eb13eb0b9487bbf11846f8e14913d2558

SHA512
a0e1531ca5426b5eec525b1ed5c7f53478f337dae842dd00fd6e69958165fb764551e852f683db04f9eccb9910ebf05db153d7cfe0092f942ec06513ed805170

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
da3eac1824011b8233e8318171b23978

SHA1
ec75e306a9f44a8d570dbd21e836535f7a85a1f1

SHA256
f0d3300ef0dce567a937e1304af4dbf61bb0c8148da8a9d9637a423666f68a31

SHA512
d5b45e8884731f2c3693a2c901e86912f827651341131a35c2729ea651f1f0d6ef67b0c1ffb52969cc26c2b4466ae7e6d9ec627a79bb584ba81f41ae432ea324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3b176537c3dec2d5aed52b1035f1a148

SHA1
c4d7e3ee2e0ed6d3df8b26fa41a48e76ade06260

SHA256
942736a1ee1944d9e76962f448c03b9e7f16320494220dbf3be25e36dd26dbaf

SHA512
2ed0c5fb2b77aef6aeae233a8aa65a02c105310f914f4d0ef71db0bd70165a5394fce5198f3d6547c62b409fc392c1de7271c6ba9b3a0102302ab90069c66cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d13368c6063bbf53abf6d1b4d0066aec

SHA1
112561b05d1c18475f0e0b1e3ecd85eb3029cd5d

SHA256
f17d4c0a504cffda699b89aeeffaf1fec03ef08513092c8663a31bc1571a2b91

SHA512
bd94394da5079bd5f1440ce8e97b0888546273a2f7cdcc55361061980a4ef70b6363c0455ac87eaaf5196a27eaae5699784ddeb64fb0f56f50e71a8e9c5c36d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
35b9f533020343243f78828c86444d82

SHA1
09233aadf8a759bf5adaf5032ba72a8eac27f30d

SHA256
8f8c13d18c5992c426917858075a77b0763c0c36e98f42d79394db6687e95548

SHA512
2521a93eecb09bc5e862c3e890ccd57aa75ecff631a514413d9b5ae0fff92dd549e70ae21a91d5ed857b4987633ff697b9f325e72199ea99d5302791fc41f26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fba55021de48e88e0585657b492e11b8

SHA1
b45a23cad792970b5b1f25c69233c190d0c7472d

SHA256
857d97ab25e7cc8d6963b15059438c6665375ed253314594d87c1988a2a21473

SHA512
ed73a6d8b82f11b7991333ac3ff8a101e0012b10c21223c9e0a0a9b2202335a5f1607b6e418eef4ba5085fd1c3d40810039ba2e800af8fd394a6129d8f037d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1f0a6912c0a40789658c0b10f45f38a5

SHA1
4b2dc0f67d001e0d23698766b0302d8125c43d62

SHA256
2edeb8f09ee69cb66a4270444acb103163ad724e74ed841ee86bc31a2d51aa65

SHA512
54d923c69042e9c88fbfda96bcc4390461e15e9ace888b83749eba42486cf258fb5f77262202d9f1cdcf3fbeb3a3427f736ea5e88a2b3625376d32d7257086c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c72f82b61a7bc45546d0353ebac7c55

SHA1
b48bbe193d21d69a009a6dc049857d0e3aa95290

SHA256
5b51be3996f9d0a281ccc33a2a344ec8b74cbfe8b82f2f0bec9cd0f86d42ed2e

SHA512
f979bfd2e90131620dc01cd5ca9a3ce4b737db3b5933753143272e22ff01ce689fbefcf57d06e867e31a49c45bae0510173ad655c7ba3850a78af094942f9fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d0078720bbe9a3f2f7bdc4a61af43a01

SHA1
b4339afa86e4e6027406b548a0f6797f87884d31

SHA256
40a3d1a98dfd9c25aabd20de6048dda7d170ea4b42b990e7746bc6eb967eec76

SHA512
cf7635baf648ad3be5aa4a18e8f9302345c8b28f843702e0e0bdc2c37087988af07ca32597cd0562d118a25efa62b6a4f40ddb867d0d7efabaeef1ac8f43c703

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cff204f60180ba705ebfe22c873a302f

SHA1
8be4b58c24830d8c8859f49b2ca8409b5c49c1e1

SHA256
af0d4585217b21b297ad713948ccb403e99ae90b9341a82b8edd7f3f2697d143

SHA512
0480f312055238d959d072af78dcd47bb03dc4a9bd233b4bf66a78077fdde2a5d9dd2277b19931b5a446f6f25330b06882fc59ba4328574329c1695631488a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
22d39105d4f8534db9ce8d777cdaddca

SHA1
002510f2a94dd080040062966bf63447e5dbf24e

SHA256
9b31f2b5bdf5a8e132f769014ec57a9750dda0862d832053b8d182df8dfbc792

SHA512
955be96b15b29713f92e9f1de690a7ec9cd7dcee99d5e432bf8fccb68f341642f26eb4df76c525c1299ac81d56fbfabb575c9ba3646fe2e99b5eb93347e90ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ed75cbd08779ed213d084b913ced4c1a

SHA1
de45e02af12fca65cc823b6de00a6fca2d2a8c47

SHA256
00344e8206859083535f5f2b43d7ea95dc90306ba36a4c0f76bf8c2909a3ebf7

SHA512
748ef50873b16f3354a62ec0064640ae9182870d1c6e6e710565939e6d159d6480e6eb7188b97b0f0b2cd09c3aeb39dec5e63c65c6161b7f34dcd80bb9641ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
39bd1a349e12f19973b4700f1292d3b3

SHA1
94a0e14c73f47e5c65567e9a8432f91bcdd87eee

SHA256
540f33383a96d8f7d8b8ece4ffafb23c33b3273eb77184133f24ea4c2c593272

SHA512
292f036793dfcb30a8f74828c7d595de6b342caadbc45f14680dda8243415f1cf1bb6ba822b0a292ede8c6786bfae7b034c74065f941dd1e6d3af40101316241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
55dbe6ded5d1f0e50f8a23cefd9ea320

SHA1
85b1cb7d617613619b892c56d072417b91542a37

SHA256
80e2509755d7caaee7b242930f4f9529ad9d991ed594aa5b1929560928201bf3

SHA512
5f62c18c1c165e510c00251cf24c70de83f17fc65046d125429937c03b241857a014dc5efc94ecb4f3bb94cd39749090a6008d82d0485e6132a2b83ba4e72c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6b5ac2477337d24c335036f74c0ca70d

SHA1
a02d4c07bc0ca329c0db7af75d173f5cb6531c51

SHA256
b0da5cfdb583f482845101a7f967cfbd6c024e7657f9289d73c92a8700d0f80d

SHA512
afdc042b7d82259d7d27b22394cd89e4bdc67897fe5ffd4f1cefdcf3e5b49d4bfbbb2e8a27bc765fe9e42f9c6d2d2443ccf9171f3ab0482700423cc461113a38

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\??\c:\Repair\Microsoft\data\repair.exe

Filesize
523KB

MD5
06163bd1b2b0b3c902cb116c080075f0

SHA1
a16e13b5bb9f7affdaf2043a292ddd6807674890

SHA256
b18babc856422ff53bcb07aad4c6029d1ae2dd65826756b57c9c7050006f8863

SHA512
9e577539dfdac3dad121d6dc06ac4cdfebfbe1a60635f187d85b6fddb708b10c910625a3d82b0064081ade40ed7561377bd4974ef363e1aa77f532c2dc83fc2e

Download Submit
memory/640-31-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/640-14-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/640-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/640-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/640-159-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/640-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/640-10-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/640-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/804-176-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-142-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1656-180-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/2108-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2108-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3508-15-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/3508-179-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3508-77-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3508-16-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/4512-169-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download