cybergate | eb063ab490ddf8d365c225cdf30f4a00471306ea361bd99526560b848ffdcfee

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
Size

1.6MB
MD5

304a8e919a6830aeef90de93c347b9c2
SHA1

8012766a46072a0bb27ebbbecbd0e0e3b307c460
SHA256

eb063ab490ddf8d365c225cdf30f4a00471306ea361bd99526560b848ffdcfee
SHA512

7f1a1549cb50119e15302f52aaa64e571cba4cedc75f760b38a2ae21d3fc53ca3b6b6f88df13803f84fbb45e175fed7d5f2ea04c77a86d8cf04bd0e267bdbf1f
SSDEEP

24576:6i/XvMhyRIg0rU0UoMNj31snHEc+42hkxRbWQhn5Sc6/sQloVuDMAFj/l5ZZWrYu:6UfMu97QohuRbLn5Se/IzFN7ZBKrT

Score

10^/10

cybergate is4.0 credential_access discovery persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

Is4.0

jpb.no-ip.biz:83

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
iexplorer.exe
install_dir
install
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
le fichier ne peux pas s'installer .....
message_box_title
Erreur484
password
abcd1234
regkey_hklm
Yahoo

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\explorer.exe"	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\explorer.exe"	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	ftpppp.exe

Loads dropped DLL 2 IoCs

pid	Process
1500	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
1500	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2100-13-0x0000000000400000-0x000000000055C000-memory.dmp	themida
behavioral1/files/0x0008000000016c53-460.dat	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Yahoo = "c:\\dir\\install\\install\\explorer.exe"	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 1592	2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	30

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1592-7-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/1592-5-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/1592-15-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/1592-16-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/1592-11-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/1592-19-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/1592-17-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/1592-18-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/1592-22-0x0000000024010000-0x0000000024052000-memory.dmp	upx
behavioral1/memory/1592-282-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/840-458-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral1/memory/1592-739-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/840-777-0x0000000024060000-0x00000000240A2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftpppp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1500	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
Token: SeDebugPrivilege	1500	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1592	2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	30
PID 2100 wrote to memory of 1592	2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	30
PID 2100 wrote to memory of 1592	2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	30
PID 2100 wrote to memory of 1592	2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	30
PID 2100 wrote to memory of 1592	2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	30
PID 2100 wrote to memory of 1592	2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	30
PID 2100 wrote to memory of 1592	2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	30
PID 2100 wrote to memory of 1592	2100	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	30
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21
PID 1592 wrote to memory of 1216	1592	JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:840
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:484
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_304a8e919a6830aeef90de93c347b9c2.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\ftpppp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ftpppp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
208KB

MD5
e8590d4a490b9508a06f2daa5018e692

SHA1
34dc4f38f3a35d6fd23396b1f45ca141b1110bda

SHA256
efd542fa6e795de5ce80cf167593b31c4c3488541725378191ec33159d7b51cc

SHA512
7dee300b89d33286aee4c39c4c90eba8f36291d7f045cedecf319e30e12fb6593f5275de411dfd8ffdc1e39e1e26edd52f546e67dfa63088aff0493a35e0bc2d

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
4362e21af8686f5ebba224768d292a5b

SHA1
504510a4d10e230dcd1605ab3342525b38a10933

SHA256
b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3

SHA512
f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

Download Submit
\??\c:\dir\install\install\explorer.exe

Filesize
1.6MB

MD5
304a8e919a6830aeef90de93c347b9c2

SHA1
8012766a46072a0bb27ebbbecbd0e0e3b307c460

SHA256
eb063ab490ddf8d365c225cdf30f4a00471306ea361bd99526560b848ffdcfee

SHA512
7f1a1549cb50119e15302f52aaa64e571cba4cedc75f760b38a2ae21d3fc53ca3b6b6f88df13803f84fbb45e175fed7d5f2ea04c77a86d8cf04bd0e267bdbf1f

Download Submit
\Users\Admin\AppData\Local\Temp\ftpppp.exe

Filesize
18KB

MD5
4259f6b67425cd152bd7ea297418cd2f

SHA1
4b6162ca90698261feeb2fb31934ccaa6c6cf237

SHA256
4c888fd40c3381c5d58ad25d421f963d1d2080dc253b6b0829ea51bc3160bfe0

SHA512
b605a765bf250e3b9981782a95af924b99cb8209ba5fbf38f09f8b30d7a5bf05373612a040f6bb5cecad163fe049dd9113093e3e9d4dc46377906ec3fb1bbb75

Download Submit
memory/840-777-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/840-458-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/840-271-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/840-227-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1216-23-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/1592-15-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-18-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-22-0x0000000024010000-0x0000000024052000-memory.dmp

Filesize
264KB

Download
memory/1592-11-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-16-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-282-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1592-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1592-739-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2100-14-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2100-13-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2100-1-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download