xred | 35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Size

34.7MB
MD5

253baf4a712d3bacc42c2c944c688feb
SHA1

9c54c6810b05ad51f31a14acd60131dca259716e
SHA256

35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee
SHA512

3cc204d205fc509ebc6b0857de825b1e4fc4c5b0478fe44bb3a0e97d4bed95e67878ebee824e3e69d94b663c0abf7c21c2a31021d4e30e788c7e5451111c4d91
SSDEEP

393216:mXXdmf1JPPIbTv2zqfFOsvSqQs8yDuDhxMewmIaOiRrqNuZif8l1hSp0huAePYn6:Qw1JPGTvXfIsb45O8ZiY1s7g8Sw

Score

10^/10

xred backdoor bootkit discovery macro persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0006000000019535-224.dat

Executes dropped EXE 3 IoCs

pid	Process
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2824	Synaptics.exe
2600	._cache_Synaptics.exe

Loads dropped DLL 10 IoCs

pid	Process
2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2824	Synaptics.exe
2824	Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus	._cache_Synaptics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
File opened for modification	\??\PhysicalDrive0	._cache_Synaptics.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	._cache_Synaptics.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2432	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2600	._cache_Synaptics.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2600	._cache_Synaptics.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2600	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeDebugPrivilege	2600	._cache_Synaptics.exe
Token: SeShutdownPrivilege	2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	2600	._cache_Synaptics.exe
Token: SeShutdownPrivilege	2600	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2600	._cache_Synaptics.exe
2600	._cache_Synaptics.exe
2104	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2432	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2104	2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	31
PID 2292 wrote to memory of 2104	2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	31
PID 2292 wrote to memory of 2104	2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	31
PID 2292 wrote to memory of 2104	2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	31
PID 2292 wrote to memory of 2824	2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	32
PID 2292 wrote to memory of 2824	2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	32
PID 2292 wrote to memory of 2824	2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	32
PID 2292 wrote to memory of 2824	2292	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	32
PID 2824 wrote to memory of 2600	2824	Synaptics.exe	33
PID 2824 wrote to memory of 2600	2824	Synaptics.exe	33
PID 2824 wrote to memory of 2600	2824	Synaptics.exe	33
PID 2824 wrote to memory of 2600	2824	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
  2⤵
  - Executes dropped EXE
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2600

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
34.7MB

MD5
253baf4a712d3bacc42c2c944c688feb

SHA1
9c54c6810b05ad51f31a14acd60131dca259716e

SHA256
35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

SHA512
3cc204d205fc509ebc6b0857de825b1e4fc4c5b0478fe44bb3a0e97d4bed95e67878ebee824e3e69d94b663c0abf7c21c2a31021d4e30e788c7e5451111c4d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1c3c3a439f6400df150a66b04100ab7b

SHA1
588b6fca2a794156f667893eb9547d7e0bfcfffa

SHA256
b4cb73b6230bd4737eeb672f6c982e2de6e9076ecdf0d2a19921b7f2f08f9772

SHA512
f4329ef97a8987ac9195ea89c3f48cf88635b2985f1eba6c6c5225c00e627ec422c03eaa112d5e3576109520be0bf4325e8d9976a8c191bfccb56f855c958f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AFF4C9FF97737D462CF50EC898BC7191_BC43DAD391BCDC812EDD5190FB536EA5

Filesize
471B

MD5
b53693044134a8ca0c1ab6f8dafd76aa

SHA1
af860bf27f299483b0bb4897f29e93a9763415a5

SHA256
94f30126ccfc56044a5afb106537e69803723f015f3e0840dce93d56023808be

SHA512
af8877df4090daf59bbe16c29e406ffea159d7df8ccb56c1bf5e90188bc654b347eb76c9b4cff0874e5d619e0799734deccac99f0e773d6e4d1ac53646ca7848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
928ef8af7c167e1a1f495ec32806d23c

SHA1
b89bfa0b58b353e6989e09e996291bd5caf23040

SHA256
df2ddf87cf4f09af856ae95bcc11ef25a1a24700f6d76a7281e0005f9e4c59e8

SHA512
06ed382a217cda42e96bb588540f17b706c05c122417a1fb8c60faf17fe586b6c9610b299a5fb264f47f2ea5eb42b34fd00ff27735a8cfee7b8d63a52365a1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E

Filesize
471B

MD5
2be0d2e5e52fe2fa24ffe155f3a0dd43

SHA1
d49f72d71ba4ad6263aa62458a4aa7dd967657a6

SHA256
552c7807b616aacb076347e44af70f044acf7baf4839831c44f12b490734b257

SHA512
4bc19353bac1f82cc542ab1fdc6d65d5bbd3a18cd6588625d355eb45d255dc9bd9cef4886f2648f094230ca8d03b3c1a978b6dac1c6e54055931974f0f24f9bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
ece11cbddd35521672738ae0251c5d93

SHA1
ed40129c9c1b8365468881cd8e07c381a922a47d

SHA256
409f0dea8239e28f33890bedadfc043e3ad604911f4a021bd990b449d27abb77

SHA512
7414974b963cae714c91dff42d5073ad398366c06166e3bfe5f6eb947567a05e1ce2c052f688649a28c84007e03afbd3c65169c6f86b0c8edffe210c55d85911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
065524e0133a0b3e3b7ae3f69c9f4876

SHA1
e339ea9018d18781751fa7fc0ff89ea611f9473c

SHA256
a6b7bd3b46e808e198a72f3da6fd9a4ac27326a875ab72523af8d2add3e506a7

SHA512
4f486486db65fe5fa583fe50b3635cc6a7c0ede0b3ed8cf1c672e98dd90536d4430b7756a3fe6511d32817f261da50f008db51698977e828505fda737b217812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AFF4C9FF97737D462CF50EC898BC7191_BC43DAD391BCDC812EDD5190FB536EA5

Filesize
414B

MD5
709212665fd0b76bac83758328c7572b

SHA1
7f53e96fb619a1c7096d5bb9975dfc5d3197173a

SHA256
d5666505d3d5d83e920ddaddd7d3d9e12398bc61d31b703637dc2523b917dc4d

SHA512
1ddc9bb43b1970917fba23273f8e4254939d69f01ea710ac6931f35c9ea774daa8c6b4b9cf92ad206cab5c52887166cabe25d81a698e0725d2c8e1644c0a5649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
5a2b747dbf48fa9890fc6ae64ed6bfc5

SHA1
fd6f621ad8bdfac8df575d0b86391a1c7bee085b

SHA256
66501cd90802a297b2da7c741a0d62c85dfe4d432b7988689c7a6fc79afc3e8c

SHA512
f807ff431c7ff4152c2758de24a9c7ee4d10e8c1348bdfad8aa947468997d8b2682513187a3f37b197e03af09ff720d53da20d15b0d18a7a00bb4aa1c966d34b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E

Filesize
404B

MD5
b18075e7e697d849cb5ed70af97b39bd

SHA1
383c262af307aea0d1f3a293f61e0b389cd905f1

SHA256
54ec213f9c72001fa46a4feda23cb32f17c7536be9a4e11b7acaab58021ecef7

SHA512
6803df2042ef3b24cb482ed9b4f79009e31e9420c7de035af27ec8cad982afa789d5547053c49b8677ddf53db0636a8b9b8de5d1b46e64bc0dd8783d36ae76c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
d71ead68d4d0d4e632e649f42f4b021d

SHA1
ba6552e49b829b4632d1a04539dd646fcd0ac092

SHA256
b86e3af620ec4b7733330898ed0a4db48eb5aba772aef14ed8c34f6e80388b8c

SHA512
cab261bb9320c610223cf3db3de5b0aca984a4b3949ca1d5e08b4950ad1b8f533c4d5eaabfee53accd6620d5c6611a33b21c8d94fb7468e3a93830d2cb87e521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
32.1MB

MD5
a2d005f99207b22c421414cde09ce9cc

SHA1
a2360687d6531b1d74947ef68473cc33ce35fd07

SHA256
986749899af82a92d12a565d5bd7892d0bf44ee4dc687acebe7928acd5222e22

SHA512
9fadfd2624a89187ea13b9b9ac328819aaed779d8efafbe27bd2f52c97d67f1f61575c218f5327f3aa1c50f87f6aa65163b62d0826222a4be2966d2f2fc351d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF44F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\O3dkxAcH.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\O3dkxAcH.xlsm

Filesize
23KB

MD5
759f4e85a5d6733a3ebf74b7bd1192da

SHA1
f79cd5ba335eefb57a35d9760dedbc20863fa2f1

SHA256
bf888198cac590dd544d49e8eb7cd491a455b02bae54f95347b0c56cb3c6bbec

SHA512
9ef06c1d625d12d82dee3053dda28d2cc1b0cf07661ea0b10d63b8ed5754784f5d4249dd86a240a62e70b4a85782d9951861b4caa5878e047c22b23999818d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\O3dkxAcH.xlsm

Filesize
24KB

MD5
39f0e6f2469037df1cf8a6b8cc8e817e

SHA1
508d1c43029b5fb708e4b5d9b47b67e7f75d4d60

SHA256
af6c1b935ecad1147b94376e9fda013ddb574700ccd87eaf10140ceee3f3a8df

SHA512
0f5490be204730bbfbda71ea52365060b3f2f5f5dd68669d7aad04b09fd06d846021ba80b8032aff649dbb93ea598ab175fc704f2776ed384c3603d851f60773

Download Submit
C:\Users\Admin\AppData\Local\Temp\O3dkxAcH.xlsm

Filesize
27KB

MD5
cad37ff03c6f2cab2e13d2e934f0a316

SHA1
97eaf519e725baa7b40f103fef872acbf18e765f

SHA256
b09f859b418f1b3152e864cac5157e07180a8f293e4fde5b3d6decf032ea2929

SHA512
7a30dee7f9f8be45c03bea5fbabf5017ba1417f0beffebf4b201bb0bd05a30f316775f8702d77ae04a15ec71366186ea7859938217c7c1ea1a0fc01194e835e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\O3dkxAcH.xlsm

Filesize
25KB

MD5
e19794aaeba527b114b42781066cceeb

SHA1
ae5967623a1059683a66417dadbafcd0d61ab5ee

SHA256
401a52d8e3992d0a17993fe6b4193693146a6482ae7c546d6679e5c80d09ec92

SHA512
fc37e1e678159810015e82090fc606b183342f78655b9c2d5d369d687c014c27029eec1a2df8ad62350aadb0e8f594d4eb2255c670f13242e97a52d704dfd497

Download Submit
C:\Users\Admin\AppData\Local\Temp\O3dkxAcH.xlsm

Filesize
28KB

MD5
97e6e95eaca94d75b8bffd2699300641

SHA1
e1c63a55a9ba64f0e657f3551c7563218b7a0193

SHA256
82a3f2ec87e26b86c1a5107f5dd192d42f44abbac45fb524c47d9916d3703980

SHA512
d7267aee8294beed2d0f47b848d3ddfce574ad255c23f28c37f3b9c3b2f3666729dc9d43b812f0d6a7b9c3df80c90911442520ee66a614cba3eda24fdd320ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\config.def

Filesize
48B

MD5
a7aae01415beba879259774ff60e4e07

SHA1
a169b7b90824154893ef8ca3ceb68483e794c118

SHA256
f79e0c02b2b3cfa15324e66531a4045c465ef3dcbd739a04b3e62d7977834479

SHA512
0539a6751bd2143906fda9c9aa89a09d9d448821512b719deecbe132921f4b190f6d1165176dd907d0a0157f85573f3a5726cb6d72e717aeeb101449f9cdf6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF451.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi_17361305982104.dll

Filesize
600KB

MD5
f637d5d3c3a60fddb5dd397556fe9b1d

SHA1
66f0c4f137870a9927400ea00facc00193ef21e3

SHA256
641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02

SHA512
e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

Download Submit
C:\Users\Admin\Desktop\~$StepInitialize.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Filesize
34.0MB

MD5
06eadb849e2ee12b9420341705924c02

SHA1
10b23245275539577fd38669bfa0084a0579ee4d

SHA256
9267b511128b7a95c767f018a7954f80ace1d3e5df3682e691b38f83bd65fc28

SHA512
ebaefdc61c81c9f5870c6867cceb7ddbd9ff320a5dd9a950fb513142b433e741ee96f104aaa247968acf56db831b974e51f2bc7c9a1f7a01718622ea701e1aad

Download Submit
memory/2104-19-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/2104-116-0x00000000054D0000-0x00000000054D8000-memory.dmp

Filesize
32KB

Download
memory/2104-17-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2104-18-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2104-21-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/2104-20-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/2104-22-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/2104-23-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2104-24-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/2292-35-0x0000000000400000-0x00000000026C6000-memory.dmp

Filesize
34.8MB

Download
memory/2292-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2600-73-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/2600-79-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/2600-45-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2600-46-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2600-47-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/2600-48-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2600-49-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2600-50-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/2600-51-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/2600-52-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download