xred | 35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2025, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Size

34.7MB
MD5

253baf4a712d3bacc42c2c944c688feb
SHA1

9c54c6810b05ad51f31a14acd60131dca259716e
SHA256

35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee
SHA512

3cc204d205fc509ebc6b0857de825b1e4fc4c5b0478fe44bb3a0e97d4bed95e67878ebee824e3e69d94b663c0abf7c21c2a31021d4e30e788c7e5451111c4d91
SSDEEP

393216:mXXdmf1JPPIbTv2zqfFOsvSqQs8yDuDhxMewmIaOiRrqNuZif8l1hSp0huAePYn6:Qw1JPGTvXfIsb45O8ZiY1s7g8Sw

Score

10^/10

xred backdoor bootkit discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
384	Synaptics.exe
3844	._cache_Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3844	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	._cache_Synaptics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
File opened for modification	\??\PhysicalDrive0	._cache_Synaptics.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	5084	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2176	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeDebugPrivilege	3844	._cache_Synaptics.exe
Token: SeShutdownPrivilege	5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	3844	._cache_Synaptics.exe
Token: SeCreatePagefilePrivilege	3844	._cache_Synaptics.exe
Token: SeShutdownPrivilege	3844	._cache_Synaptics.exe
Token: SeCreatePagefilePrivilege	3844	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3844	._cache_Synaptics.exe
3844	._cache_Synaptics.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
5084	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 5084	5036	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	83
PID 5036 wrote to memory of 5084	5036	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	83
PID 5036 wrote to memory of 5084	5036	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	83
PID 5036 wrote to memory of 384	5036	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	84
PID 5036 wrote to memory of 384	5036	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	84
PID 5036 wrote to memory of 384	5036	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	84
PID 384 wrote to memory of 3844	384	Synaptics.exe	85
PID 384 wrote to memory of 3844	384	Synaptics.exe	85
PID 384 wrote to memory of 3844	384	Synaptics.exe	85

C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 4612
    3⤵
    - Program crash
    PID:1476
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3844

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5084 -ip 5084
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
34.7MB

MD5
253baf4a712d3bacc42c2c944c688feb

SHA1
9c54c6810b05ad51f31a14acd60131dca259716e

SHA256
35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

SHA512
3cc204d205fc509ebc6b0857de825b1e4fc4c5b0478fe44bb3a0e97d4bed95e67878ebee824e3e69d94b663c0abf7c21c2a31021d4e30e788c7e5451111c4d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1c3c3a439f6400df150a66b04100ab7b

SHA1
588b6fca2a794156f667893eb9547d7e0bfcfffa

SHA256
b4cb73b6230bd4737eeb672f6c982e2de6e9076ecdf0d2a19921b7f2f08f9772

SHA512
f4329ef97a8987ac9195ea89c3f48cf88635b2985f1eba6c6c5225c00e627ec422c03eaa112d5e3576109520be0bf4325e8d9976a8c191bfccb56f855c958f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AFF4C9FF97737D462CF50EC898BC7191_BC43DAD391BCDC812EDD5190FB536EA5

Filesize
471B

MD5
b53693044134a8ca0c1ab6f8dafd76aa

SHA1
af860bf27f299483b0bb4897f29e93a9763415a5

SHA256
94f30126ccfc56044a5afb106537e69803723f015f3e0840dce93d56023808be

SHA512
af8877df4090daf59bbe16c29e406ffea159d7df8ccb56c1bf5e90188bc654b347eb76c9b4cff0874e5d619e0799734deccac99f0e773d6e4d1ac53646ca7848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
928ef8af7c167e1a1f495ec32806d23c

SHA1
b89bfa0b58b353e6989e09e996291bd5caf23040

SHA256
df2ddf87cf4f09af856ae95bcc11ef25a1a24700f6d76a7281e0005f9e4c59e8

SHA512
06ed382a217cda42e96bb588540f17b706c05c122417a1fb8c60faf17fe586b6c9610b299a5fb264f47f2ea5eb42b34fd00ff27735a8cfee7b8d63a52365a1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E

Filesize
471B

MD5
2be0d2e5e52fe2fa24ffe155f3a0dd43

SHA1
d49f72d71ba4ad6263aa62458a4aa7dd967657a6

SHA256
552c7807b616aacb076347e44af70f044acf7baf4839831c44f12b490734b257

SHA512
4bc19353bac1f82cc542ab1fdc6d65d5bbd3a18cd6588625d355eb45d255dc9bd9cef4886f2648f094230ca8d03b3c1a978b6dac1c6e54055931974f0f24f9bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
21711dd5b4ca825b2508522c836730bc

SHA1
f960339f918a746d05a6e564078e22db451835f2

SHA256
bd3310d77a9bdc58cda36bfc4283d51714ded6c9d9f6e1e3f04961faca3d7510

SHA512
8d4417af978e36909b78e63bd997965efcf5220115e1dae5a0f4d53c0d47c9024be7304e6ccfedd67a2d41ef575a3a4ebd17f76222e98558975a8dde7a6de6d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
a86c9140bb80a72ff27319efce4e4a12

SHA1
c15f97390b60e26c5d1845a45b7cd490dedde798

SHA256
4473b0e5fa2a3cba65db42f3392735d954083bdcccc4ca3537333acd5e95516d

SHA512
2d5e0c0bf8e67afd3470a7e258423e94fa10272466d5c3b35213282351309698d038aef15f4407a6dd2d74db674e5f8822b1647ea576c4da6affc538abdf2b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AFF4C9FF97737D462CF50EC898BC7191_BC43DAD391BCDC812EDD5190FB536EA5

Filesize
414B

MD5
c5604767c5e3f9cb5cdf9099d1fd8d68

SHA1
bdef7503110aed59688d8bc06ca195b2f8f9b9ea

SHA256
39aca5436e847bff0adf0b0ebc5f83ae60c85e77f627953ca9e3f42a2bd15bda

SHA512
772f57f4deb1aa34f03df3018493b9ce7adbb755a17aab84f07dda91414fbaa67b3784ee94fdfbb3572a166c4ab158d50a4e842b8ca89863293d7374fcf90058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
3166059e18ff65b585bb649796688c12

SHA1
8dc41de023a76f1811d74990c1e2b2dd384b48c5

SHA256
6b692b8af6e1787680c1673a042f15327d696cd35b0d0a165152b27cfa8024ca

SHA512
e268ccea25237c1aae7ffc116f508419127770d7ef46ae156bec0ad0d99e5c84629dfaefe2769f5bec53138276387045f9990e46aaf08ac45002e8e1cccf7be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E

Filesize
404B

MD5
5c8822b75f52abc0580566c455a3b540

SHA1
ea9b07b9ce6965b291e8eb293c7929a723b0f0f5

SHA256
e85f8e66e1f72fa3d7ac78594350483e74988633b20ded3cf85508478d362dd7

SHA512
61422ad501ff6c4306425bf404fa780cb566eddde67f0e007fb8ae372c77e9530acde2633c9020ade9701c4352c0adfdfefbfea888de772e399ed28f006e8f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
e0cb52d06e365c42e8b1961c0e2637e6

SHA1
a7e3523cc49ae49ade1711bf3b159d0afc7b1c60

SHA256
7d088ca32a8eb7d491c4fb68a5fb210074bef724f6b11b39ec8c9af851212384

SHA512
bf2467e6c76cbe2cd20c41f2b9e2ab89649afb23f5ef06ed7227ad4afb1198c2662ed216a1282c7a58e7c28c701902836ed597db14032695ef997a493aef838d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
2d4d26d9aaf81e54408f76f8ecde54d5

SHA1
62e3d1d6a49615cfb3e7416513c760027f66ca22

SHA256
e5c6753e7e8897be49e12b059d8cba9573c21fb04d725e71eb4e7feaed6d3d99

SHA512
2f1f17951200a72ad96fc1ed4dcfe01fcf14bbda066370640c7bb75ee44dc1196284b6c52c5df66588886541810c688021451435ae46712b347b4821a1a5e985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
049252bde7afa5645d8e390689ddfeb6

SHA1
4b0ae2b0611527aca483d84efa4402b0baeb66a1

SHA256
6457d0c3e7b2682939f941083462562ff636f670894aa219934af27c09c33d94

SHA512
176ecbbcab146266c5cbd192d60a7724363bebd1ea17236eb7952c81fba927e6c1d8316b58fbca7913e95a6332d2c46194be5e5c3397c3eb3fa0fb021e280ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
e0211c679ff6bd8e9420cebc3f514677

SHA1
779efdc39dc826dc069ef2531a96276fb1d16b04

SHA256
78001e997f2230269378beab48882ebe5f051242615f41b7829c0b84b74e62e1

SHA512
4e13435bcc4699d7526ada2ba24bfb3ca5fd03893a62b89ed2480bc5e3cabe77195101ce1b91d943f614c1c164cbed1413aa878146b1425196fa81277c58f07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
128088c1ce918af51328fee7aade1b52

SHA1
b78a3f68a6b40cc8bcce66c6a9b59471ff5e9143

SHA256
c149aa2d281cdadf5098c1132954d980a5336ec4fb7c767273489ce6497fa223

SHA512
b2181abcfbb739771c101098eccd72c8122c8fbfba554536bdcf2dc7acbe12c1f4843a4ff38f51a49a51a3f46ac0d23261411e5655f5bf05de22ac5a3102827f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
c4d8dd1c8d7dfd506ca68fc4c7ea639a

SHA1
cffd2aba4485facc145042e60406ea96500abecb

SHA256
59972548965d32c2fd5983af9a7c5c4580178e3a2ce025400396df8f2e33a96b

SHA512
19f16c2a0cf75c554083743ac094f7eb984f50a2d8a1cb444009fd391d18abe0ac5c66a64ac5b332b87207265e0bae88372fb808f25d0e7c53bfd3294d7bc806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
6727b57fe27132b4d7f85cfa5eb923fc

SHA1
867fe3b883de915d2989a81db797d8503e31215c

SHA256
76602772ece8796915d22686d614e8631839e1eb028901033ac681faeb59ffb0

SHA512
cf8de7ccc78874a4b37c286fdb94a9c3f2113257565332c53eca5ef2ad721e3b5ab55c893f0dd5f78f62beb17b3104e344bbfef7ba90955c5557da09b979135f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
835db8697d2bcf47b91fdba62017b8b1

SHA1
068b746621286406c1b298d49cefd44199ad209a

SHA256
3ecf474f97221033f0107361ac13310d65346a1827a291e6f2c74a3c569c5948

SHA512
1e1c70dbd1c8a7686dda59137fb01fce502b3a29c40b85cd6509ddf4778fc260ed2fdda44fc1841d7b75fc4d3af7d6fea06aab5f30b33ea517b59da958f3b58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Filesize
34.0MB

MD5
06eadb849e2ee12b9420341705924c02

SHA1
10b23245275539577fd38669bfa0084a0579ee4d

SHA256
9267b511128b7a95c767f018a7954f80ace1d3e5df3682e691b38f83bd65fc28

SHA512
ebaefdc61c81c9f5870c6867cceb7ddbd9ff320a5dd9a950fb513142b433e741ee96f104aaa247968acf56db831b974e51f2bc7c9a1f7a01718622ea701e1aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4B75E00

Filesize
21KB

MD5
42a2c808705685deb94d45411695faa7

SHA1
54532f5dee08b63279568ce1409ba9bc138440a0

SHA256
eb7fe6e89e8db3f8817c780e5a1ab535780050ee1f945b5db486c9c6cd434fe2

SHA512
6f12b4156677f66742cb3c6d1cdac6fb1c45771e741765ec42b25367549dbf7ececb4dc33c2f0da99ce637068d85c847fb1a3629ce9fb97dbbd85d019974825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\config.def

Filesize
48B

MD5
a7aae01415beba879259774ff60e4e07

SHA1
a169b7b90824154893ef8ca3ceb68483e794c118

SHA256
f79e0c02b2b3cfa15324e66531a4045c465ef3dcbd739a04b3e62d7977834479

SHA512
0539a6751bd2143906fda9c9aa89a09d9d448821512b719deecbe132921f4b190f6d1165176dd907d0a0157f85573f3a5726cb6d72e717aeeb101449f9cdf6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\beDIAFPO.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi_17361306105084.dll

Filesize
600KB

MD5
f637d5d3c3a60fddb5dd397556fe9b1d

SHA1
66f0c4f137870a9927400ea00facc00193ef21e3

SHA256
641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02

SHA512
e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_ccupdate\ccupdate631_free.exe

Filesize
2KB

MD5
ac264196f3528e893c6732f4d4f3ce47

SHA1
08e00621258f71f3f5a24c0d814f94fa62bc20c3

SHA256
d9e4af99721e480eebb03eff4b53831505a474539bb4d773726e9c62207ae688

SHA512
7bef04e1e327b91d4fd0550e926c4f3a52a53af28a68ec52a62c5d7be5370e3cc03614fc8794b3c84790cb9b7c1294ee7ef60eb51c8260439918404eb14444f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2176-201-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/2176-199-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/2176-214-0x00007FF957CB0000-0x00007FF957CC0000-memory.dmp

Filesize
64KB

Download
memory/2176-215-0x00007FF957CB0000-0x00007FF957CC0000-memory.dmp

Filesize
64KB

Download
memory/2176-198-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/2176-197-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/2176-202-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3844-207-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3844-209-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3844-200-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3844-203-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3844-204-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/3844-206-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/3844-205-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/3844-208-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5036-137-0x0000000000400000-0x00000000026C6000-memory.dmp

Filesize
34.8MB

Download
memory/5036-0-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5084-294-0x000000000FB00000-0x000000000FB08000-memory.dmp

Filesize
32KB

Download
memory/5084-303-0x0000000009690000-0x0000000009691000-memory.dmp

Filesize
4KB

Download
memory/5084-329-0x0000000009690000-0x0000000009691000-memory.dmp

Filesize
4KB

Download
memory/5084-326-0x0000000009770000-0x0000000009778000-memory.dmp

Filesize
32KB

Download
memory/5084-323-0x0000000009730000-0x0000000009738000-memory.dmp

Filesize
32KB

Download
memory/5084-308-0x0000000009690000-0x0000000009698000-memory.dmp

Filesize
32KB

Download
memory/5084-311-0x000000000F850000-0x000000000F851000-memory.dmp

Filesize
4KB

Download
memory/5084-305-0x00000000096A0000-0x00000000096A8000-memory.dmp

Filesize
32KB

Download
memory/5084-302-0x00000000096A0000-0x00000000096A8000-memory.dmp

Filesize
32KB

Download
memory/5084-333-0x000000000F850000-0x000000000F851000-memory.dmp

Filesize
4KB

Download
memory/5084-270-0x000000000E920000-0x000000000E930000-memory.dmp

Filesize
64KB

Download
memory/5084-112-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/5084-111-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5084-104-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/5084-103-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/5084-102-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/5084-92-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/5084-91-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/5084-90-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/5084-276-0x000000000EA80000-0x000000000EA90000-memory.dmp

Filesize
64KB

Download