Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 09:15

General

  • Target

    6ef86daa845b062f9748082f2ad8dd8f_JaffaCakes118.exe

  • Size

    528KB

  • MD5

    6ef86daa845b062f9748082f2ad8dd8f

  • SHA1

    c6a7d6938b4319ec7e758609cb83dac8322d1256

  • SHA256

    3fc80bb964755d2e0b2a741ea460348fdb35058cfcc3f29beaf12cbbc4b5c9c0

  • SHA512

    5b5e466f48097e3fdeb0093d530035935672fd90f7762f47a9d75a1d8d99cb422e14d50d78be4c7979f24404aa577a5d696ef1d52139fea3515c6fdb2ce366cf

  • SSDEEP

    12288:8J+t8jy3K+vmHW9+AUqn0tbkRskNaQ4ppdJN9IJap2:i2K+OmhUqngbkRsSmmJa4

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

salamanders.zapto.org:100

Mutex

LN3X6CLI34BXWH

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\6ef86daa845b062f9748082f2ad8dd8f_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\6ef86daa845b062f9748082f2ad8dd8f_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqomwagb.cmdline"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3841.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3840.tmp"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2564
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2128
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1900
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:580
            • C:\Users\Admin\AppData\Roaming\svchost.exe
              "C:\Users\Admin\AppData\Roaming\svchost.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1912
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:708

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      3
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        bb9d6e80827d87db28d660126a1d260e

        SHA1

        145a3fae5139a38a32a1ce49d310e61c397b21f1

        SHA256

        05da3c8c3b0c519c890ad8bfd14274a467519ab03ca2df06ed58c7c848f543ed

        SHA512

        a93e9ecbe60051f1dd1ab661c42b83f8ce52194f9f7a5845f1006397dd7371ecb62bfa395e3f78723b4afa8ee98e7e8cd1f2b62aa85a3e36072d9141c9a4b24a

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        864641c3d398a17247289ad8b43d503c

        SHA1

        a7bec6f784e3b80953eb350d5bef7ecf9d22dbfa

        SHA256

        266b74eeced55486ef37cb8c95d2ea06aeb5e7347040a0d1bd1011bc07fa5f5b

        SHA512

        dc6f1439d22b94b043bc0f5fadeb032dc9393d08f068aa2e754c25abf6c0f5c6c8e96ae8026fad5ebe1e843cf6058ecf72870ec7bacf608dcafbedb24548b3bb

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a499500b1c800acdaa77294bb79cf0c1

        SHA1

        874a9ac7f5cf91af4235a8e10c0a22a1852166fd

        SHA256

        91a1814d9bf36ed011f484726bcf4625e0f8a19540113ff0ce0d5c0aa0373571

        SHA512

        2e6ac5480072eda84d01c3aca997a01171b31a27fe1975535f4cb1c7551f6944c74f59c90921d37e8eed933973d49fa9809741b17ec73a6b2fbe08d036a07d14

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3a46120d0d07977f3b62da9963233710

        SHA1

        41ca944b3acb7a6df8202d9f5956f23dea77ee59

        SHA256

        3bb00258575a0144bfb0a7576a2761c90f04b1ccc0c553aaafbde125504270ca

        SHA512

        67dec708960795e44f4dce479407134f74ace60ed94ba2eeadb106381d8ad6d8f9d878ff773b458919ca2569e0f7334401fdcc7a337f6485d7681de4e7fe6057

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        547e007e4b55a74e3401c5c422780e2b

        SHA1

        b9ed60e5f7526470e88e041ca4bb737c902264ea

        SHA256

        65aa99b20c56795e2d0190f5f4e4dc9ccf61dca4d9066e52211a880dbf9a5805

        SHA512

        084aacb60400bfb9dd1029535b32d8d6f69c0cc006ce1c291fda101e953f07aaa9614b12c83613b462005125ed4575c6a4cc6b78d369be828b703638587016ff

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a814378e407494fd101c6ed7b8ea2d7a

        SHA1

        96b31f249f15689d2738cf7090e11af6643f0c36

        SHA256

        f3e2dab795ed083c48c5bbc45f5e23a1097283e6ee02dfe48ebfdeb6d899d030

        SHA512

        1526316981b3d865eae5b76efecd3273be2d8588702ea8968dae1cb5b5b474b49c95cdd0e3a5b9b62beb47d148698319900e634bd0af708ba75876fae8946d91

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5214951b2a1ec530e5edc954ccb2ea0a

        SHA1

        10c00df4217db24d129bfabfb266cc566cb0973c

        SHA256

        bbb7119fd67bab4055496fd795c90be05e019b4d713b29c35ee80a7ad526d088

        SHA512

        de5b016a2d7f667d5b9c89cb4ad2708351347907a6339c33e917044fcc81b2513765f43c38ea78ba54a1b302f77f8647ec389b2284ec2a735380a969c2d1e6d0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        628b43fc36870d86fe50c2e5da1b04b6

        SHA1

        21e6930742803b7fd8e8141a47d585be75037ef9

        SHA256

        8b14a639b3906e7ecd7e862874e4b4eee98cb4bc63a5e85d3d0e157686239d49

        SHA512

        5fb9c96dd5e4385f6785072ed29dcfac02bab3bf718ca4c34950e964768cd229daefdd82f92f5f19bf24868a0d05d080ac05c1b18d135132f59844eef83dd45c

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        dbbe34ac1e3b2c03ae686e49b0638323

        SHA1

        d6c801fc39a16c61931420f7dfdf1951828c20fb

        SHA256

        78859a24b54e1973443d923838c12dca44ee99b7e19092fe38daf7882feae045

        SHA512

        87387ac5285921f1a64d34e295bb9c0b4f6c3f251c3586676f662edec108a64dcb50802bdd1d4289d5ac4a449c6629d5b8ca0a824077c35ca6fee71a658f65e0

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5f1919e9fa2efc7aa0a4c49385e2691a

        SHA1

        3bde65f4fae607c584b50e85f6a6a272dc89f60b

        SHA256

        aa3fc120363a1c90b14a37e43b21841e799f8a94118cd0ef270eb966bcd3de0b

        SHA512

        802bdb1f1d178d9901701cb27b42d21f859d5c4c8a264166216bf74329c09e92cadefd5c63ec3e776e0bd8a1701ddb9e0f23bedabfb8795b89126726f98ecfec

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        15673e8e6dbc05f2a26fd88d8045b621

        SHA1

        bfc11fb8ba27972c5a907f47cb76d7548c25e19e

        SHA256

        6194a196416fcdf36849dc93125392fa3e8890fb44b431c4388e2b263e7a4ac9

        SHA512

        56a6ee55fc14e0786befbcddd239eaf1bce71798fc70ee6cc86770b8168ec129f1a8fa27509f45415f5bc2dd066d0f16f032992d551e08eff567dbd0f1c39433

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8fb7667622df30022993176cf3a848e2

        SHA1

        eccf63c2bd8033270ddb73d5b50cf5c5f485593e

        SHA256

        361a8d899c4438b35daf0ff70952a0386c9c6dfdf594930efd6b72e341378efa

        SHA512

        037e0e0a0e67dfc8467d5d28d5576e9a5f549903f06e523bc9cb454da5ef8987226b503ad736034eab48d1e0782bedba2673796c152a67cd87eb9ca4c5ccd99b

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d2305b65a6cf0b5033ceae0cc5f658e2

        SHA1

        248b2fd9d0bf503d3e87e03bafb149e6e61ceb34

        SHA256

        cf360b061c8d257397eb20217efe0bb969d414aeea80cae99db1b167df18dd0d

        SHA512

        3fb6c481ab1418748d331947bf14745cabf8bf4eed7ab9dca906186de6f3ad7eea357bfd33d947964ef53eb1f6bc430977bfa8f93b9881cc96c5114f94474336

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        c37362a1bb34ff5f17aa9fac0192d6d3

        SHA1

        815308098025c965a247115488b663b062386299

        SHA256

        0496fc6da1bc36ee31c625ea90fceab58a23e4445c568f32c09e532920af4c9d

        SHA512

        e309ce8fcdb34e62c7b27ce6831c8d84bc619eebc4f616298810546c52c83035e4a03b212d23660e5b4a4ca3f5323d178fa8be430474cc3834eea6dafcb4506d

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d4e668d1c28336a908612d5931f90632

        SHA1

        709bc2d3e59dac1892e3b9bab4ac6e5ac8c362e0

        SHA256

        6ad30b45ce03d41e962621218e553d53d52bfb76a88dc50f35f316206179c6ab

        SHA512

        d034a0078042b3e0bb068e16f34301ceced61f2314cc335c14829fb92e9b71d0c725895b1d515db42a394ef98d20c5f241253ac29061b0fb6ab3e8ba8ba84653

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        364d4f6174201952118819ac29fb5ecb

        SHA1

        2efa07ae3b6d391c48492d28d4f0dae02834d94c

        SHA256

        13ec30eab3e3f48e4035b9daebce4c2be6db6cd20803e77c92869ef867684852

        SHA512

        7a8da480ee2986dfc0d4384ce05b4017dbe1dd49f54f1f102980461cb1c95a98236fe8faa3abf89c23436d66746dffba79fae851a995474eba83a0180f7be9d7

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4d96b45ad74f97cf855436f486a84297

        SHA1

        2d150ae04e5d8f7960bfdcabaca35c8d434d8c4e

        SHA256

        a138572b866949d96fcc662ac73bdbccc063c0a1ca4e644762cb2aa37a15c51c

        SHA512

        38fb97b852b6f388c495e53899f509e731d4d6196e22c4db2f4464173b2e511fce6afac0add6c138d0f6924b5d7f640e4f88f56b963f467c4bc8cdd46f767897

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        b67373e2dd43f66cf7c8a6c262a8ff59

        SHA1

        5fa3f8f899ef857cbecbf72fc18e724e05b220ff

        SHA256

        ed119cc9ca66c2c5f3606853bcc1bf4e7fc70c17ebfd40b7d480b3e296014197

        SHA512

        efa331a5f50d9be00d65c1dbd45a3509ca083d4d8e93584c0d9de4535a26a5feea7ee3051fc249663431243ee63b9eaee479cf53b05c652ecf91ede6401399a3

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5c949dd327d0b80e21622bfcd78193f3

        SHA1

        622af6038dc1830aa07bcd24ab52d0f4e561555b

        SHA256

        a2997a7976603fdf619d7bd23cf11ab9e2b86bf5fdb79d0806257522efaccd8a

        SHA512

        aece9ca476100b52eb28e752c8318fe4fff317383755fff2167c346dfc150f0790fec5f55cee856cda98b9f1c79b395e7ba5d65f3b80bae9d8badde8acdea9b7

      • C:\Users\Admin\AppData\Local\Temp\RES3841.tmp
        Filesize

        1KB

        MD5

        d0b80a8306b3f2203cb42ae9b00b7983

        SHA1

        afd7964528a87585c3faafa413f12d4647ea07ec

        SHA256

        6ba6b56ad4f9e35177a30f83005f7d5b98cc9ef1114f043f263980986bcb5630

        SHA512

        f603e985fddfabec474b61f21e7d624f8cd8ebda7e91c1cfb2f4deaf3c7c5cc0d6eaeca9f234c1f80af0400b3d3a2a46eaf0334e511377001658323db1fe554e

      • C:\Users\Admin\AppData\Local\Temp\qqomwagb.dll
        Filesize

        5KB

        MD5

        05d8f98e89b8ae6bb97058cd4eca77d7

        SHA1

        e5310a841748cc9d73c3bd7d031dff93aff7b82f

        SHA256

        37f26be7667e93a5c9a552fa12d3b73ad0923b7cd4fb82edaff54d082b7639b6

        SHA512

        a1b45deebbf68d673d91420bfa2318dcc2a684bbfa15121a43bc8b385512f9e644823ed605c66d9d7baa4d86959865eec29d300364abcd82fa5c232262b76e85

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        6KB

        MD5

        d89fdbb4172cee2b2f41033e62c677d6

        SHA1

        c1917b579551f0915f1a0a8e8e3c7a6809284e6b

        SHA256

        2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

        SHA512

        48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC3840.tmp
        Filesize

        652B

        MD5

        d6dfae2be8a4b22fdb9ad582285c004d

        SHA1

        4a7652d6bfc1c85077dfffc62ef3ea2376187250

        SHA256

        3fe11152e727c796b3c4181412206ff64b562864501c53748986367dcae49816

        SHA512

        2d957637c180f2586ec215e9442ef8e1c218ae680a449e4c6c7264aae1f27b2d7a2d8a81ae7a0c41132c10e47a1490987ee4349b46f8d4890d78117685ed028a

      • \??\c:\Users\Admin\AppData\Local\Temp\qqomwagb.0.cs
        Filesize

        5KB

        MD5

        cb25540570735d26bf391e8b54579396

        SHA1

        135651d49409214d21348bb879f7973384a7a8cb

        SHA256

        922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

        SHA512

        553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

      • \??\c:\Users\Admin\AppData\Local\Temp\qqomwagb.cmdline
        Filesize

        206B

        MD5

        38a7fd980f6d337954e645d4642d896e

        SHA1

        30af2783839398e83c5c69180344a113621c7d27

        SHA256

        100de598f9c13ec27ee098cd8d8c1f28f07933ce3a3e6a6f31464ff862794a58

        SHA512

        65cbc7e2a557de6a7a11e4a800dbcb67b4c1254d720a83b472ec1a2394ce37a8120b9b366ad1b1c5f09b8c55a5062104ca5568652d7ea605b0bb05745642d63d

      • memory/1252-52-0x0000000002DA0000-0x0000000002DA1000-memory.dmp
        Filesize

        4KB

      • memory/1900-311-0x0000000000120000-0x0000000000121000-memory.dmp
        Filesize

        4KB

      • memory/1900-603-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/1900-438-0x00000000000A0000-0x00000000000A1000-memory.dmp
        Filesize

        4KB

      • memory/1900-1590-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

      • memory/2096-1-0x0000000074EB0000-0x000000007545B000-memory.dmp
        Filesize

        5.7MB

      • memory/2096-0-0x0000000074EB1000-0x0000000074EB2000-memory.dmp
        Filesize

        4KB

      • memory/2096-47-0x0000000074EB0000-0x000000007545B000-memory.dmp
        Filesize

        5.7MB

      • memory/2096-2-0x0000000074EB0000-0x000000007545B000-memory.dmp
        Filesize

        5.7MB

      • memory/2128-31-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2128-45-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-29-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-33-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-35-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-37-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-46-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-41-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-27-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-43-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-936-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2128-25-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

      • memory/2928-8-0x0000000074EB0000-0x000000007545B000-memory.dmp
        Filesize

        5.7MB

      • memory/2928-15-0x0000000074EB0000-0x000000007545B000-memory.dmp
        Filesize

        5.7MB