cybergate | 195e29788b3bed46e893f63ea7b79970cb6e2931d6a2446f31d93164d406be04

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
Size

303KB
MD5

e7b697eef7f462548b2d03bb5f5f24a9
SHA1

ac6a6a4cef8a00f79fa76604191b7129df44917b
SHA256

195e29788b3bed46e893f63ea7b79970cb6e2931d6a2446f31d93164d406be04
SHA512

0235445d86481a8edd5551178ee012df4bceb28a6c4ac70de245a6522b96439816b8a48630f28daa7a4b0ba3a8b6ba7e61a4132985c58562a5863da1754a37e6
SSDEEP

6144:zOpslFlq4hdBCkWYxuukP1pjSKSNVkq/MVJby:zwslfTBd47GLRMTby

Score

10^/10

cybergate remoto discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remoto

virtualboxjon.zapto.org:5876

Mutex

5O2QUPEU0VEC0I

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Drivers
install_file
driver32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Drivers\\driver32.exe"	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Drivers\\driver32.exe"	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{VGRGWU3J-5PHK-R3ND-8V5Q-88SR4013P3B3}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VGRGWU3J-5PHK-R3ND-8V5Q-88SR4013P3B3}\StubPath = "C:\\Windows\\Drivers\\driver32.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{VGRGWU3J-5PHK-R3ND-8V5Q-88SR4013P3B3}	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VGRGWU3J-5PHK-R3ND-8V5Q-88SR4013P3B3}\StubPath = "C:\\Windows\\Drivers\\driver32.exe Restart"	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4604	driver32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Drivers\\driver32.exe"	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Drivers\\driver32.exe"	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3088-2-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3088-63-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4216-68-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2284-133-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/4216-156-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2284-161-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Drivers\driver32.exe	explorer.exe
File opened for modification	C:\Windows\Drivers\	explorer.exe
File created	C:\Windows\Drivers\driver32.exe	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
File opened for modification	C:\Windows\Drivers\driver32.exe	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3148	4604	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2284	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4216	explorer.exe
Token: SeRestorePrivilege	4216	explorer.exe
Token: SeBackupPrivilege	2284	explorer.exe
Token: SeRestorePrivilege	2284	explorer.exe
Token: SeDebugPrivilege	2284	explorer.exe
Token: SeDebugPrivilege	2284	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55
PID 3088 wrote to memory of 3444	3088	e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e7b697eef7f462548b2d03bb5f5f24a9_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
  - - C:\Windows\Drivers\driver32.exe
      "C:\Windows\Drivers\driver32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 568
        5⤵
        Program crash
        
        PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4604 -ip 4604
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
231KB

MD5
92992f2b19329bd541f567fe9ed49bec

SHA1
4e8ef39796dda99662681a6b361ed4fcb0756edc

SHA256
46feabab2e0d6a3ca6d6743fcbaf2b5a3630f9208370e9438b1d293d7c8e0851

SHA512
eca7ffb36837a25c49f887a452822e161b21c7d6273c589113e5194888489a084e4480fee3ea6ac6fca4d7ebf79a0f02c588a2655b3848699adee419ab411a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a9ffddb00216f23bfa97bd2ca533094d

SHA1
36dd6fd97c023b16e9d3e4fc103097c6d11b66f4

SHA256
c6aee7979a0dc9b140dd1408bea39ef0d1d2c6270896a4028b4228224463d1e3

SHA512
1a2588c958f5c25865be966bd58ff204e7d2b480fd6bf8627486bbd26c88d78bb41293abf2a68a02a9a0d6b3431b2123cb3084d0ce552295dc2f274ab7a7c4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8cc0196db389ccf036c632ee604bdf8d

SHA1
6f4793f5ea3b9d82f433babcdd7fdddbac5d2344

SHA256
36990ffbed33d2fc3cda78d66066b575690b756e273182ba0c93cf33dc1ae1e2

SHA512
9edeaaa9fb8051f6eacceb7f1b3a6c0282161253f545df71655e3bd9edbbb35983476fc16ac636339e5e000447a52bcbdcdaa9e2a7178832df48ea807687a008

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c3a59a93913f4857d06a6fff711d9d7a

SHA1
4edd2f15c07eca0ab509dd751dc932651e8d9923

SHA256
6a0163deb83e3e214e30d95a0c7e79b8ff0738d60b44b047ff9b09c719dc575e

SHA512
e2d74852d32bca9c7d3680724427cbb19d344ed031bda4b19e22dad4bc629925337559976e5faeb18158ef7daca2ea3d561ee5e10fcd603853428b1584d1b6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5ffbfe8c9895d2975ecbb2b8cc874dee

SHA1
9c70700c5ce262561ef71b9d0339f18d0e0046ed

SHA256
e665116193ac01bb7372c27296bd29c38c2585f2ecf86201746fc337e3c314f4

SHA512
ab4214fe289b62d3a1bc3e4f964a30b51fbb4df73f4c2e3d1e12a652065c8864790b2108c19b7edcc6f4145357dfcbc82b396d8957174f3eda46db1c3e38ea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8d423663f69ea658d04e20da57d41312

SHA1
997886ea5a4b7da06e95a0bb61bacb453afeffbe

SHA256
427469831adc7fd005d287e02e133a8a4f20725fc8dfcd33d184afca439b0000

SHA512
84a618736e9e90967d8358e429bebab233bbb4085a5c220bcede3e30675a95b155188cc868843be3e8cf1ec5b22fa03634aa588a9289038e534e8ae963874962

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\Drivers\driver32.exe

Filesize
303KB

MD5
e7b697eef7f462548b2d03bb5f5f24a9

SHA1
ac6a6a4cef8a00f79fa76604191b7129df44917b

SHA256
195e29788b3bed46e893f63ea7b79970cb6e2931d6a2446f31d93164d406be04

SHA512
0235445d86481a8edd5551178ee012df4bceb28a6c4ac70de245a6522b96439816b8a48630f28daa7a4b0ba3a8b6ba7e61a4132985c58562a5863da1754a37e6

Download Submit
memory/2284-133-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/2284-161-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/3088-2-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3088-63-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4216-156-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4216-68-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4216-66-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/4216-8-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/4216-7-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download