cybergate | c3dc8ce1961fd6c5d6b1665b7d05c388132c3053e8ea55728f39324ce2ee0da7

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Size

288KB
MD5

43b40d1854bba613f80351bd65d346f1
SHA1

d0da1823059e085cdca7e6178ab762987a5bccc9
SHA256

c3dc8ce1961fd6c5d6b1665b7d05c388132c3053e8ea55728f39324ce2ee0da7
SHA512

b67a6a12f5677ea777ac6f53dd5725b3165b3f75598fd335753ead26fcf6377beef7f4f077ca214ab0a8af5251eb4118b289c83636fd6b6e5a628b23ac022c56
SSDEEP

6144:5BBZs+WwcJsK4OYvm0ljMfatFPhifIKmha+12OL/2R3NM:Ls+Okm09PhaIKx+0ObW3e

Score

10^/10

cybergate akon934 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

akon934

127.0.0.1:81

akon934.no-ip.org:81

Mutex

T4313X4437RI36

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
SVhost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
54041994
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\SVhost.exe"	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\SVhost.exe"	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SPD4B558-517V-N8CH-UFBI-SKJ5J2631MR0}	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SPD4B558-517V-N8CH-UFBI-SKJ5J2631MR0}\StubPath = "C:\\Windows\\system32\\install\\SVhost.exe Restart"	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe

Executes dropped EXE 4 IoCs

pid	Process
3976	SVhost.exe
1400	SVhost.exe
1232	SVhost.exe
3664	SVhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\SVhost.exe"	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\SVhost.exe"	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\SVhost.exe	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
File opened for modification	C:\Windows\SysWOW64\install\SVhost.exe	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 208 set thread context of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 1400 set thread context of 1232	1400	SVhost.exe	88
PID 3976 set thread context of 3664	3976	SVhost.exe	89

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2732-7-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/2732-10-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/2732-69-0x0000000024070000-0x00000000240CF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2180	1232	WerFault.exe	88
1816	3664	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVhost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
1400	SVhost.exe
1400	SVhost.exe
3976	SVhost.exe
3976	SVhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
Token: SeDebugPrivilege	2148	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 208 wrote to memory of 2732	208	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	83
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84
PID 2732 wrote to memory of 4532	2732	JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43b40d1854bba613f80351bd65d346f1.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2148
    - - C:\Windows\SysWOW64\install\SVhost.exe
        
        "C:\Windows\system32\install\SVhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1400
      - C:\Windows\SysWOW64\install\SVhost.exe
        
        C:\Windows\SysWOW64\install\SVhost.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 564
        7⤵
        Program crash
        
        PID:2180
  - - C:\Windows\SysWOW64\install\SVhost.exe
      "C:\Windows\system32\install\SVhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3976
    - - C:\Windows\SysWOW64\install\SVhost.exe
        
        C:\Windows\SysWOW64\install\SVhost.exe
        5⤵
        Executes dropped EXE
        
        PID:3664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 532
        6⤵
        Program crash
        
        PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1232 -ip 1232
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3664 -ip 3664
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
093c7b0090dfe6350212c61630332116

SHA1
b53b1e5e23b9daaa530a972a6037ab6a9aa6341b

SHA256
df2ae9671956faa710f11bd4f8fe292d2b0492401fd1752317cd430f95a64df3

SHA512
332d81b516fb6ad5ec1c09b26302411ffbb14a7a37307d773e4595c00a615ae10eb1fdf7c820dd28b46fe084100cc20764d3941117c3809025faa7a895c3c1a5

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\SVhost.exe

Filesize
288KB

MD5
43b40d1854bba613f80351bd65d346f1

SHA1
d0da1823059e085cdca7e6178ab762987a5bccc9

SHA256
c3dc8ce1961fd6c5d6b1665b7d05c388132c3053e8ea55728f39324ce2ee0da7

SHA512
b67a6a12f5677ea777ac6f53dd5725b3165b3f75598fd335753ead26fcf6377beef7f4f077ca214ab0a8af5251eb4118b289c83636fd6b6e5a628b23ac022c56

Download Submit
memory/1232-131-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2148-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2148-12-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2148-11-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2732-7-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/2732-10-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/2732-28-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2732-69-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/2732-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2732-3-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2732-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2732-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3664-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download