cybergate | aacdf6bcb15afa56c07ffcd2e7f8fa9e26d920af1d4614c03edb24c6cb5cb6b8

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
Size

8.2MB
MD5

45cfd5b04853ee2519df5dbae83fea33
SHA1

5ee4e1ebf2723cecbe13afcf4d6636eed0ee0e38
SHA256

aacdf6bcb15afa56c07ffcd2e7f8fa9e26d920af1d4614c03edb24c6cb5cb6b8
SHA512

5734dcb76f7cf892b03c8540339ccd3f35797d6a66ba76f6b8c34c3f07890a3c75a13b2a8c853cc153439e69b9544566e6d6da19a23fad34df0d0e10d5dde052
SSDEEP

196608:QttvC0KNZskfwZ4r2W7Sx/I6Ohmq+j2GabhJv3WIp1i1TM7kV8EXT3bsi4u:QvClNtl2eMaAPohJvpwQ7kVRB

Score

10^/10

cybergate victim discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.2.2

Botnet

Victim

f-15aaa.no-ip.biz:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
explore.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
?? ??????? ?????? ?????? ???????
message_box_title
??? ?????
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Explorer = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\explore.exe"	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Explorer = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\explore.exe"	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{ILL8053U-B2NN-RP20-2858-1DGV516WIW7F}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ILL8053U-B2NN-RP20-2858-1DGV516WIW7F}\StubPath = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\explore.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{ILL8053U-B2NN-RP20-2858-1DGV516WIW7F}	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ILL8053U-B2NN-RP20-2858-1DGV516WIW7F}\StubPath = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\explore.exe Restart"	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\explore.exe"	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\explore.exe"	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1084-3-0x0000000024010000-0x000000002404D000-memory.dmp	upx
behavioral2/memory/1084-51-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral2/memory/3828-55-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral2/memory/3828-56-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral2/memory/1084-63-0x00000000240D0000-0x000000002410D000-memory.dmp	upx
behavioral2/memory/1084-60-0x0000000024090000-0x00000000240CD000-memory.dmp	upx
behavioral2/memory/4492-114-0x00000000240D0000-0x000000002410D000-memory.dmp	upx
behavioral2/memory/3828-151-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral2/memory/4492-156-0x00000000240D0000-0x000000002410D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1244	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1244	vlc.exe
4492	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
Token: SeDebugPrivilege	4492	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
Token: 33	3016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3016	AUDIODG.EXE
Token: 33	1244	vlc.exe
Token: SeIncBasePriorityPrivilege	1244	vlc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
1244	vlc.exe
1244	vlc.exe
1244	vlc.exe
1244	vlc.exe
1244	vlc.exe
1244	vlc.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1244	vlc.exe
1244	vlc.exe
1244	vlc.exe
1244	vlc.exe
1244	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1244	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56
PID 1084 wrote to memory of 3524	1084	JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:3828
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45cfd5b04853ee2519df5dbae83fea33.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\www.6rb.com_1203.mp3"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1244

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\explore.exe

Filesize
8.2MB

MD5
45cfd5b04853ee2519df5dbae83fea33

SHA1
5ee4e1ebf2723cecbe13afcf4d6636eed0ee0e38

SHA256
aacdf6bcb15afa56c07ffcd2e7f8fa9e26d920af1d4614c03edb24c6cb5cb6b8

SHA512
5734dcb76f7cf892b03c8540339ccd3f35797d6a66ba76f6b8c34c3f07890a3c75a13b2a8c853cc153439e69b9544566e6d6da19a23fad34df0d0e10d5dde052

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
088909adc3c4b42d5dacaa6a52990d9f

SHA1
d203e27e1126942893a9eb6d4bbdd16b4cb7cb01

SHA256
358b01b2db6b32e46198a299b95da3b2975642890b3682ea28d10e38fb1c2271

SHA512
17bf5e7db321edba143101393aac086477aae00e80c1df04050a65e79b49c81e1ed655195b1323586e667b9bd04873f74a8ac12601dbe47103fb77c7089e4035

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
8.1MB

MD5
42db08c5356e24d5accba9e10cca42b6

SHA1
85e21ee5a118cc3e236ba31e8ed97582d4996932

SHA256
e7505c834b2001119ac4e684f8beace7390e1b0323626376794c452e0c933298

SHA512
2e036b735dc40f34e41cdb2a92c873569f39fcedde24078f4894ff95ce7b38c6fa677d4c75100fd944f1852f40ebff0ad27f1e24237efd4febceedddec8d8557

Download Submit
C:\Users\Admin\AppData\Local\Temp\www.6rb.com_1203.mp3

Filesize
8.0MB

MD5
9277cc955c224814a9c234359aced7b1

SHA1
8d4c67d8f3685c4ea5531996bdac526dc06edc26

SHA256
ae1adc6b3123965472a392260a438c4193b23b2a551397ec2e0e9c924d21c19c

SHA512
4b5fbe3e9bb270c9d0668a9fdd0ba73051587c34fc160de852b080362559c955855ae1d4bf9641e929241f62997e5ee09e349e67ead4c0731d639d6f342cf50f

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
86f3c87caff4d7973404ff22c664505b

SHA1
245bc19c345bc8e73645cd35f5af640bc489da19

SHA256
e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

SHA512
0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

Download Submit
memory/1084-51-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download
memory/1084-63-0x00000000240D0000-0x000000002410D000-memory.dmp

Filesize
244KB

Download
memory/1084-60-0x0000000024090000-0x00000000240CD000-memory.dmp

Filesize
244KB

Download
memory/1084-3-0x0000000024010000-0x000000002404D000-memory.dmp

Filesize
244KB

Download
memory/3828-55-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download
memory/3828-56-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download
memory/3828-54-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/3828-7-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3828-151-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download
memory/3828-8-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/4492-114-0x00000000240D0000-0x000000002410D000-memory.dmp

Filesize
244KB

Download
memory/4492-156-0x00000000240D0000-0x000000002410D000-memory.dmp

Filesize
244KB

Download