cybergate | 2abf4ea5b3a97c4747c4e6b804de617d838a2158d6c301d7678dcb447ef4b846

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Size

403KB
MD5

8366d26f8afafbb471f0c8dc2f327b2e
SHA1

b3633e124352a84411cf64ac674babca007beb65
SHA256

2abf4ea5b3a97c4747c4e6b804de617d838a2158d6c301d7678dcb447ef4b846
SHA512

8db8b391b11f730494714bb553907164c5d52a5016bec24e3ecd6ef2d1f02ced0843679f6a5bb9116c8729cbaf27508667cc2d960ef8487a91e155059828ce08
SSDEEP

6144:F4fQ+jEiu+bc/DAd6OQskxVUks0i8ee6E4+DyCTAs6d9oFyExZt+gfmzdTjjfWFN:UQP0wEVmR14+CtQZt+TBeFT7

Score

10^/10

cybergate king discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

KinG

7osam.no-ip.biz:1604

Mutex

3OO667Y6N6Q3HW

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456789
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{521R770G-TE0G-UUYG-WG3T-IRQ5MV6P7GH8}	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{521R770G-TE0G-UUYG-WG3T-IRQ5MV6P7GH8}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{521R770G-TE0G-UUYG-WG3T-IRQ5MV6P7GH8}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{521R770G-TE0G-UUYG-WG3T-IRQ5MV6P7GH8}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Executes dropped EXE 4 IoCs

pid	Process
5064	server.exe
4116	server.exe
4792	server.exe
4456	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
File opened for modification	C:\Windows\SysWOW64\install\	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2104 set thread context of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 5064 set thread context of 4116	5064	server.exe	88
PID 4792 set thread context of 4456	4792	server.exe	94

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2104-0-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral2/memory/2104-6-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral2/memory/2264-11-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2264-14-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4604-76-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-78.dat	upx
behavioral2/memory/2640-146-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/5064-171-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral2/memory/4792-176-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral2/memory/4792-183-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral2/memory/4604-184-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2640-187-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral2/memory/2640-188-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3408	4116	WerFault.exe	88
4024	4456	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4604	explorer.exe
Token: SeRestorePrivilege	4604	explorer.exe
Token: SeBackupPrivilege	2640	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Token: SeRestorePrivilege	2640	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Token: SeDebugPrivilege	2640	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
Token: SeDebugPrivilege	2640	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
5064	server.exe
4792	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2104 wrote to memory of 2264	2104	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	83
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56
PID 2264 wrote to memory of 3456	2264	JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4604
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8366d26f8afafbb471f0c8dc2f327b2e.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2640
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4792
      - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\SysWOW64\install\server.exe"
        6⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 548
        7⤵
        Program crash
        
        PID:4024
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5064
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\SysWOW64\install\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 580
        6⤵
        Program crash
        
        PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4116 -ip 4116
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4456 -ip 4456
1⤵
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
4933547d8eadaf128b94b4e7b7c88794

SHA1
fa6f7948ef06483eba4ae969b2d78fb3ae0b01e4

SHA256
299f1253247f9b49653954484d48b0032914d76f5de278d0212c47a28ee0151d

SHA512
3c8915114b255bce034b81b1295fdd4f525ba1ccac8111c9fe88244208935d2166d2699e44dee0e4ecdb935eefff819f0e982a83b2e35b839280f6fedae4e16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ec68a127bcc9b90625e21addba624704

SHA1
10bdfc521949ec79d29f47b922911ea2d724ac9e

SHA256
deba2b53acba52697e67d55a0947ed37fb646523caf10c3c86ac42d9dd94da9c

SHA512
fd371a064ae51aa90e375e149a5e5a01eca6111b366891d88478eab23b744f24217f7647dfcf54aad5da583e39e90956f03323c7c3d209349197c4d3fca62aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
12e680524be235ae981a233d87e8abed

SHA1
b80fe949f235a77318770f3311e926f191d36e52

SHA256
222c1569110c4622977719c41967e95e22f226f1f01e8ded355bb6da6f2b0da0

SHA512
2a18ada097da01f88a75fa2693a2b7a1f9bf2f70f0cb708ee23a419e8bc559ac23f36f43b2b1200b19d11476929fbf66b154e14166174ff4b414c2cf141b5178

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9fc743bda7d4457aacd30fb93d343bf8

SHA1
f27888faf4dceb2a0a8e49e86393b02d911b7dcf

SHA256
a52ac58432d03030a2cbed7bb3dcb2a430b323b8f8eae51848ae618425fd5073

SHA512
ac03eb91d2d2946df2773f8341f7a603c360b041fe18cfbb0c7f2072c3dfeae68cfd6c5dfd9a87bced07e865436458a6377b229e8ec425014db7e8a874c57be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
941174e4b096793383dffe7c1a475e36

SHA1
94935781255451fda47eea97348d1240efe7859d

SHA256
cb37daf2bf825ea1eb8166b7058dbbf13bea7a5266c1367f46339db37551722c

SHA512
4aef17c6763b75849e07a35e8fbcc6b3b7e892a9da41cb08093e9f1759d80ab02e98785dbb013756f2e129ddb922b671526d6310823e063688598b3e447a3bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c14db7ca31fc87d770d815a57b691b60

SHA1
fa8705ace8684de592e93edf0cf7619b67dac4bd

SHA256
d825eba944c7a7c631b1b3e07346eba619a1ba7f70287b0903c24784ab8c8076

SHA512
be9c69105c22275bce24cf9d174e7ea6030c2d48863bae5d5ad647c410a59eebe73f862c1a36ba569c74a82a2b405a306982ead12a6b8629505bbb6f0a809469

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0532a136c8c3ec7f0e269e96c931133a

SHA1
07f7823d3a361a09bb33f6ee707a6a6e0af02b09

SHA256
f5590ad9298904375685a4e3052a5e8bc20f811990300e387c5e8a123d7febf0

SHA512
1e5389f3e8ab94d1ae061d720a594d7e03fbdf5fcc78aa4bca9ed307067a281e7d5f6bbb8575399b4a0681c847af725069a0c7d63d568c6bdce92e3257fad342

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f303815929eb8adfab58f3d998949cce

SHA1
55962a96f2c607b74d436793d1416b4cadeffe30

SHA256
7a922d59cb8635bc5324ca72ea3e9aa89e6de6f50c929a52b5983ba9437adf64

SHA512
0561b69f361f5c60132ee98cfe4cfa9212a6bfafd426555505badf7545ffda488fdc2f301a8bd5f3960f6a669730896bdec845a5dfb86b637042431aa3f4d826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
30ccd9f2716fab33cd2e3fb3d221abb1

SHA1
bcdd838cb6921e1d7127a0d53c78f6dc725f178e

SHA256
c4f75427549ea97e21e4c170855390a8fa8b1a4c9110d9a729ca479fdae3f464

SHA512
7c140fd2f8932264b8f6080d00e8fac5abac4dd2d37b991e26417fcd1d8460f74c5522e0a25ac1126112317db2f3b1db1497c1b204679b267e7d29d2f6be271b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
36e9592a64f0116c611743c78ccb0d1c

SHA1
7d8ccf1c5ad3dad1972d24d8c1339b269332fb93

SHA256
8c8573d82d016a9ec815398b9118ca93b0833873ec0b4854efb0d5a1c2166b16

SHA512
1403b18d311c6287cae06cae160fd1dc8fb9c196a93ebb89bb3b3c75229d5e2042d5511e4549ec2ee25c123102a56c88d1b5fd4ab37395909e29e446c3841d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f93bdc64c9b5a2c0d806e2fae614ed45

SHA1
c74a7d7380d9b27fec37f8685b611ea4d137b9ce

SHA256
8c7bc6b30f3d0d61ae2ce794434eb7365c40986f223d07fbd37d0c6e8d3e1fda

SHA512
040558e293a08281b20f626aa244874d0434a2402af21cec11a07eb72e5d3f5fb65d52de2a025d23e4fb90e075a03d86fe1334098ca7643310310ffcaf767d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cd58eaa8057f21fffd8724868d84d903

SHA1
1f38630edaedb6c3e238e9c0984b4a1604a364e6

SHA256
1b23da7d81f98e3fa8cd291fa890632dce72347a9c9bf876802a236ff5acb44b

SHA512
8190b89bd1d954bc8c4814487ff77b45e53f4368c75628028ef82eefc289bdd293bfc7e771ea0dd08c3a5693f7e33ad6ee0c310cb572eb95947cc6a3cc8549e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b6876e9caf1fffeeb31c7426759827ce

SHA1
fd6ba8ee5aebd16cde245513a96eeb89d945227a

SHA256
37d482724804985ce0af3cc218f7134cf8ddf05e8fe781532599ba58798ce4e0

SHA512
717273f3e226a5ebe26591b61cc85f9b96cf7441399e82271e2042a7cbc9c714f4e1a37f28e463715b54f2680d41f8717e26b3cf10805677a7dc7d73a9586824

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f311f9b3c10a3e23966419c782bbc141

SHA1
86c7cca5fbb6c03c12198d9327729f00d2ee28a8

SHA256
13bb143142639137998058b8e9f986fac33ea72c150cc1547f22692d7827af00

SHA512
d7322aea8876d0186126c13b11d8425d2b74a4dd06c9ab768d94cbf7db897d25b9acc20ad7742a48281d984615195a9d4e643392300a1cd3c3cf4e37576870eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
47acfca6b9dc0812c4853c5c4c5c1b84

SHA1
fee70190e9ddbcac52b82f8b2287531bf008b40c

SHA256
70ee731903b030ebf09120a95437caa39505a603e3d33ad58f38d71b8441fd54

SHA512
b6471872fde80d3fd3e8336cf67bd62d4f28edbdcc5d6d93fc58c6c261bcbb2b4c6f6d11ec826c4dfb6fd700a1fdf24aac2018002138727e24ad882acf830821

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5d66fcfd62b4beeec7abcefc9cb73e1d

SHA1
575a8b1536d289750b0193ac094f68f7c5b7f480

SHA256
8fead2d7813750aa0a0536cb739cb383703d1bd3b385c4c19949019b46592b06

SHA512
85df1f0b79a37b40b61c56e04429b1f11f32e0e8fd572d9415af0d600dc17dcdcb9b83a69721a7e0c0b6dfe1f74446a0e3afc8e3fdf60735ba47eba9a7fc9dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
827d8f42890f5f169bfd5944558f80f4

SHA1
3deff298adc316c3696ce223475ff4647952c39e

SHA256
00c936432d3170d80f56eaff4a8643028a0b11ff2370d1441d4eef914fead1a4

SHA512
ffa55314318ab64ff228c8e4f3db8e48be09a32ee0d0addbc5ac0e9f86bbdbf148ad0c4f78104880fe1cf243d631db95b3612be177a588cf4ddd41301d9c2d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5ad1dec8ab8109a59386ad06a21bd5b5

SHA1
4add7fc79ee40f6d16c299be4c82474843bc8d2c

SHA256
fec01453588ba2c72d53024d9975bdfeb08cf89f3d00d26998982631c1aac07f

SHA512
2ff18dff6cc539557fdc2365f8b0c8bb2b06f2771425ae20e915e2cda655cf3dfedde0f080760d406037a34b36bb62c434914233d037d850a9e955b3ab4383a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fe29f40980715ffaebfe24547c99078b

SHA1
3ce1edec78a1c94c568888372c471d74d9833b6a

SHA256
64b1232f8528775011cd070c47818fe091e4aa0bee5251e8072f961607120012

SHA512
fa8344e945e9f5aaf51f04f453ab2dbade97e28226dbd6bc4e3b49e109bc40bd2ab84079336cf9ec1fabd20bd8993eab87be1253463513bcec41422123847786

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e68bc1d7fdfa7d7b76ad7935d77e95e0

SHA1
de7f3f84534bac19a93a6923e809075e84688f15

SHA256
7887e2b4bd634ea20da50f255b2a05a91db2ea934e58371535a88c8e7eb64d25

SHA512
368d5f56c7611e051193e2ddfd8488263a438761593884d331945a5289877f5ca9183f9ab8487a9f1b8d85564be3a1fa15e2923df96dd7aef5e31c26e960ac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
451d791c5bd2e89a298e30a7002fcdf7

SHA1
61b5206c41cf5320f4eab95434f85740997780b0

SHA256
458d4da4973ea73bdcc0c6330da11194ae25943bd97cc786329f068e04330f28

SHA512
8c53c06a2a4519ccfb1aad9852a61aee5307747590924575ec95cbbed58dd1c10327a181068140e5ba7b05a244efe9ae70a4e2f3e8fedad4017972f0269a5964

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a1f16d086703b36fefb8586a8c6b660a

SHA1
27686cba7e852b835173960560002c3d5812b8c4

SHA256
0f854020cd00665d052e412e6d08d2b8ec3af4547cb7052071cd858c4100b9cf

SHA512
cbaab0363e15872b0a2a80e7e544d32785969dea1aaecc1de072d7ef40f5296195a7596adcfe66a2409d97e692da812aa1c64c886fea9ce0d9dd242cf35382f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
716c1c18cf678f7eb9d341461a70f226

SHA1
d2f77c2c03464b3d8aa18a75a59959bd9120702d

SHA256
6afb0f27dac9fa11be4898c9c1618e57e308d94804d5c3bc942aef80161ef512

SHA512
07ab882d37d900dcf207bcea4652eaa767e7b3165ee5e1dc36be469771a70472b00a98acd8ac8f830edb7152bc30ef9a5b2c29feccc447a2c9f007528161d190

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
85c439f7dfebe5d181aabb37db1190cd

SHA1
a07260f067d99274d6ba4a679f40f35d42b8b43a

SHA256
e468f99a2aa206755a4351fef50f4dcd2dee350475ba235638647623c9afb0e2

SHA512
4e2fcb615eb66cd7bf7f3d2e0245ad5aab1ce79f0c7abcae9ad5a4a23427e6d78178891b37309bf2a55a9a6dd29d4207306f93a3b8395fd48f5471c9f5ea84db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
14b12afaa4275cda5fb7e10ae75231f6

SHA1
bf9d6746202fdb1370a0d684361b48a7772ea671

SHA256
a3460ee6e44353ce9bed20ac70488299f51a00403ed678665cfdc7e93406786f

SHA512
74557f0bfc2d9e5078d6d5c387caeb4c0d48aba8895bf3e5be7cbf622665190f15e621027641d7793a99bfe7e3b885ae6de5641e0f86e1cd6531614262db63a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aab295227c914fb5318ff1b00fd5fd35

SHA1
97d06a3ad688bcdcc5fdf89875cc0e88d3d1c7e0

SHA256
1df414008b038b32f03155809f227aa0facfc2a259fa07b548e0136a6da43fec

SHA512
1eff07b0ea900cfa14e396670e111404646204816a89a058257ce43cc77d8d7847c1caa446f8ccafec19c485445a2e51520636f19d848a359825744d75e0355c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3cad805f29e06b1229100981eaafd9c7

SHA1
97cc630bdd1c36ba66a69dc49ea5ceb45c708e47

SHA256
bed23b22c8c59a58a4d325ea56b3a542adf188be4e17468445f279890323b708

SHA512
fb68d2e2d7eb86f9593782465fff23f381aa18830d9911b92b4a07f0cc518bfdb603e098f15a0b0336af9f39dbb0a53dc8a065c0eef8f05d6d3a3d28764fbd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
17efcc14938e4b12e7a199ae612e03b7

SHA1
00ecf0078604b8bbf9333cd8621959d7d24a2fa2

SHA256
c66b9b724d3a6f2ff59575887b28c4d6f15b3be789bcac05bfb7a075b355747b

SHA512
972c3d1069eb7c7bda084e77eacabd8028683af9b1ff9cd4037e1e1ae584a54d5fb48c9cd85b294bb63885735cae1b1c2edb4d8e63759ee9ef1ac6343d84c800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7fb9796c40c03614a7e48b857d1aac24

SHA1
3c6f5b0752e60caeebe42097768471e347a1ac9b

SHA256
a884043f7c842828f5b572375136ed036fd455907ee2300384a46d9152f1cbea

SHA512
1f8442a883a8c77651da0f8ae9496be86f70029d14c26aa8279759803a379b03ed339359d93feeb4068576817dea89eab7d2933247089ef8f540c1255c02853a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
458392526eb402017751a9d9eb0fc754

SHA1
498f033d61ad9cf4f375c3df8c5eb74d3e0e373c

SHA256
aa165c1be78395484ee0155ba38563c4cbcdb25f377a149cdf99b15305d0ed3e

SHA512
7d781c0246442409d1fae353f8d160bd208387749404649116551d6d1150d289e0683c2b80f2458426211cad1df476de1885c59bbfb6c8567a3f0a6dd3b56811

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f42618da4e425601540418ccad2dd0b5

SHA1
de5dea25d25801faa63472c6382e49dc9f3010c9

SHA256
719285b926ab873d6924f075a6ea93d69aa1737ed116b5a386f34d664e1e3b17

SHA512
85290f92aaced25efac5f8354227e8a15004db8d270caf1d1248976bf5769e546d6a1421182d9b30df8e58d1a3a6d1e439bcffd5de660e45feb7c48b430067f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a5cc723fcbe6ee2d3fd326049ddbcf3d

SHA1
4187752c3e6242131036f783f276b66b868d8c80

SHA256
6e9e3e22e9789814b31a7d2b4b0673c6937984b8f338144d0037b27c0632309c

SHA512
239a53390b4f52ce044350ad46e408c27c632b79fca852f46344b0146e056d810cc329e77c805414e5c2f65a2feb0dad4df74d99ff1aef800f8ca0286ca11fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9f4feb854a3840a0ca038257838a1745

SHA1
3e9b525836f35dc652ffbcad405c22fa249ca8a9

SHA256
b852526bf1cdcb67d4ee3b09c3a04c2c2e8e9147df28cba7402a23e7ece63106

SHA512
27aa26601970471e6012e688929b748bcde7a849a68b3203a3f1d1e765395f3ad184546bad2bacede6d430a2281164b3f629c08fbc595223b57d4d7ae609ca39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
014ad284c3c1f3d347ee190273592d38

SHA1
a6dec7cea10a42f0acfa4a84458269afc7816171

SHA256
cedba239ab86655f2f61e216b16e941cae676613eb0fcb9200fc441c0a13b3e7

SHA512
1fdfd6dc20126a5152c9aa547796711c63a3e0fb7e0f663e8275cc17766a14815ef918fb9e2fd21358473de9a3f18ca439b9e3fc1ea8a7c658c4b6b387207901

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7d89d6cf939b804162c2cf68e47549f1

SHA1
3cc81fc365d43d6d42d322f322daf574f26d9fd4

SHA256
85b60b1d4823323b1fba4d414e63e031fcbb739754b6e297a495dad9aa0975dd

SHA512
22e02e1a4df6ba1f0de30228198ec4b83b578f09262062d39a315d2479c86c0bdb7a93733ea9321002919dfa0720c6581007bc3446b1b6095e6eafeb21c2fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7a250f66e83d4e97422103cf3a1476a9

SHA1
0f26e51ef90da81ebf17eec32aaf6393815783b0

SHA256
e65bbb05adaf65e12283dfc460af3557451c5dd34635d3166391b7b404c5a336

SHA512
aa607b45fbf6f3e6300038fd4ab1d09ee3c606cab2345134083d393682e102509121fdeb8aff1367647ed5a1af1176cc9b12bd05270a818e033c4e5dbf35fa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6a716798abba0ac40f60c195a7714d5d

SHA1
0ab30fe3a8790df55e2d3485b8ff0b87c7f25032

SHA256
ef51aec178df73f84e6b81f908d88ed5903b2521e18a64d44a5e74f07273f1bb

SHA512
a07f3aa052945218ba31564331821d158065682d9e1c1a7bb628a8f3e7ec124e3122c791a82603ef1754cdc76d60c5f3328425a8fa0866a8bdadae5b4874093d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
81f1a32cff8ab20d026af88c94f58c2d

SHA1
39352f366067f4dd50c75d1688b4ffff6f8f4104

SHA256
1e59af2451040b03047984bf6a1ae437e037d09f6c5eeedb832d6f2b1008fa77

SHA512
fa05c5f1fce48d211451c4ceb1969e8b168a4ac13b3177361b4d1589a41e71862a36fa2e0210eead35dbda997eb6705847db93ec45a7bafbf3496b39e9229937

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
403KB

MD5
8366d26f8afafbb471f0c8dc2f327b2e

SHA1
b3633e124352a84411cf64ac674babca007beb65

SHA256
2abf4ea5b3a97c4747c4e6b804de617d838a2158d6c301d7678dcb447ef4b846

SHA512
8db8b391b11f730494714bb553907164c5d52a5016bec24e3ecd6ef2d1f02ced0843679f6a5bb9116c8729cbaf27508667cc2d960ef8487a91e155059828ce08

Download Submit
memory/2104-6-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2104-0-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2264-14-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2264-165-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2264-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2264-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2264-86-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2264-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2264-11-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2264-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2640-146-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2640-188-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2640-187-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4604-184-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4604-16-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/4604-15-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4604-76-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4792-183-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4792-176-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/5064-171-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download