cybergate | ffe0158fe8b1505a4e4fa40759e6fdb518d77d61cd89a2d6bd2acf9dcdaad946

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe
Size

454KB
MD5

1c772ded94e555a7266e56f02a9c54a7
SHA1

039bc50e2657913de0281282dd800f74a3dc319e
SHA256

ffe0158fe8b1505a4e4fa40759e6fdb518d77d61cd89a2d6bd2acf9dcdaad946
SHA512

b8bb451647d06e5b5aae949d5e4189b9e9a211d9090a71f450c7f379be9fffd195e968f84ba3cdf6b7b4bc69eeee476885186320a052474cfb13dd31ac6f2318
SSDEEP

6144:xVt1ipxxelcJyhLNd8WbWIXKhBhHYb0ErdALd1JBnl2St81Ftyueugkj+I9aCK:1YY/Lf8W1Kz9qds5aDtNsv5

Score

10^/10

cybergate mplus persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

mplus

mwac9.serveblog.net:88

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
1982
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mplus1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\spynet\\server.exe"	mplus1.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mplus1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\spynet\\server.exe"	mplus1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mplus1.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exemplus1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{FTR51D3T-3F0A-G2RO-5TAY-RHYM4EYSUC24}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FTR51D3T-3F0A-G2RO-5TAY-RHYM4EYSUC24}\StubPath = "c:\\dir\\install\\spynet\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{FTR51D3T-3F0A-G2RO-5TAY-RHYM4EYSUC24}	mplus1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FTR51D3T-3F0A-G2RO-5TAY-RHYM4EYSUC24}\StubPath = "c:\\dir\\install\\spynet\\server.exe Restart"	mplus1.exe

Executes dropped EXE 5 IoCs

Processes:

mplus1.exemplus1.exemplus1.exeserver.exeserver.exe

pid process

344 mplus1.exe
1284 mplus1.exe
2572 mplus1.exe
3676 server.exe
88144 server.exe
Loads dropped DLL 6 IoCs

Processes:

1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exemplus1.exemplus1.exemplus1.exe

pid process

1600 1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe
1600 1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe
344 mplus1.exe
1284 mplus1.exe
2572 mplus1.exe
2572 mplus1.exe

pid	process
344	mplus1.exe
1284	mplus1.exe
2572	mplus1.exe
3676	server.exe
88144	server.exe

pid	process
1600	1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe
1600	1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe
344	mplus1.exe
1284	mplus1.exe
2572	mplus1.exe
2572	mplus1.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1284-83507-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1284-83496-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1284-83501-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1284-83491-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1284-83508-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1284-83493-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1284-84434-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/88144-167654-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mplus1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\spynet\\server.exe"	mplus1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\spynet\\server.exe"	mplus1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

mplus1.exeserver.exe

description pid process target process

PID 344 set thread context of 1284 344 mplus1.exe mplus1.exe
PID 3676 set thread context of 88144 3676 server.exe server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mplus1.exeserver.exe

pid process

1284 mplus1.exe
88144 server.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mplus1.exe

pid process

2572 mplus1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mplus1.exe

description pid process

Token: SeDebugPrivilege 2572 mplus1.exe
Token: SeDebugPrivilege 2572 mplus1.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

mplus1.exe

pid process

1284 mplus1.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mplus1.exeserver.exe

pid process

344 mplus1.exe
3676 server.exe

description	pid	process	target process
PID 344 set thread context of 1284	344	mplus1.exe	mplus1.exe
PID 3676 set thread context of 88144	3676	server.exe	server.exe

pid	process
1284	mplus1.exe
88144	server.exe

pid	process
2572	mplus1.exe

description	pid	process
Token: SeDebugPrivilege	2572	mplus1.exe
Token: SeDebugPrivilege	2572	mplus1.exe

pid	process
1284	mplus1.exe

pid	process
344	mplus1.exe
3676	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exemplus1.exemplus1.exe

description	pid	process	target process
PID 1600 wrote to memory of 344	1600	1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe	mplus1.exe
PID 1600 wrote to memory of 344	1600	1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe	mplus1.exe
PID 1600 wrote to memory of 344	1600	1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe	mplus1.exe
PID 1600 wrote to memory of 344	1600	1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe	mplus1.exe
PID 344 wrote to memory of 1284	344	mplus1.exe	mplus1.exe
PID 344 wrote to memory of 1284	344	mplus1.exe	mplus1.exe
PID 344 wrote to memory of 1284	344	mplus1.exe	mplus1.exe
PID 344 wrote to memory of 1284	344	mplus1.exe	mplus1.exe
PID 344 wrote to memory of 1284	344	mplus1.exe	mplus1.exe
PID 344 wrote to memory of 1284	344	mplus1.exe	mplus1.exe
PID 344 wrote to memory of 1284	344	mplus1.exe	mplus1.exe
PID 344 wrote to memory of 1284	344	mplus1.exe	mplus1.exe
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE
PID 1284 wrote to memory of 1200	1284	mplus1.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c772ded94e555a7266e56f02a9c54a7_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\mplus1.exe
"C:\Users\Admin\AppData\Local\Temp\mplus1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Local\Temp\mplus1.exe
"C:\Users\Admin\AppData\Local\Temp\mplus1.exe"
4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\mplus1.exe
"C:\Users\Admin\AppData\Local\Temp\mplus1.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\dir\install\spynet\server.exe
"C:\dir\install\spynet\server.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3676

C:\dir\install\spynet\server.exe
"C:\dir\install\spynet\server.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:88144

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
e767292f66db063ce739fc12b41f359e

SHA1
6bb32d3aed913b0b6f3f21c333912a2e0369704a

SHA256
b9df270308785fbd5519d9e2a432f0c5606fcd0c74b455aac55772cde49799e1

SHA512
4887e7e21b04c50627cc7e7384874213f7d4cc3a2319f5997fc99beecfbfdc54b02ecfe5e0000d097fa2982095657c30f5e4e2ae0408c5c04776c01fd1e72df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
80de4ac0b78e714382efa773d076e31f

SHA1
e74c1d4f843431f77811473aea4ee7812c5c95d2

SHA256
c3a2fbe444752793b402de81e26b019e953d17c553f5b426379de8eeee99b8d0

SHA512
a0a3e6be8b48f612d186a290915b03716c9442e48e4d67fcd50737424e53b701cf092cd1e152567db43c37dbf73abd9631fba55c9795e9d5cc4256ad0e56529c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
f167f6b5fc1ec62d7c663a3dd1c8a49e

SHA1
c54bbde323db0c8b5b2870d650675a5974e55381

SHA256
8b109b7d801b21ae3cba2c4d01ad30fe44282c99643a4350e55e5be806bc2655

SHA512
c0dab85b4332b28fdf8f181c697dc590b570fc1ee0329021d54283c64b8e42aee981a587d0d6e447883fff42f2e8c9d93a66d30b15afeff631f2af1d7c046900

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
b35ee2bf674994be3d6cee440896dd12

SHA1
30ff647c96bc33e7c4d13f80d3be24ee58ae5237

SHA256
9a4b069911901ad94cc8cff0757ec6cb7acfeac7e5b899e3b77d2ba9c3e08ae6

SHA512
a6a0102e09fbaebe16541dfb8c3846739fb7cfa973b6757b1cdb1c1c36a0985283ddd5fea1269bf3f037e03555d2e43539173f319ae6fee8195b2691c5d5ae09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
3af15cccb1ff53a79751843fcba737cc

SHA1
9215e89e70227c86e9132acf77e553e185387b22

SHA256
63b728a0be89612622865a52838ae15eb76808e1dc07a90c1b5a578d81b7b12d

SHA512
6a3750bfee6c67c2261c2fffba5ae01aa11b2ef5ba84a7636a6f9aa6ece81029af2abd22e39e7a2032f419945214955556f4a992ab25fbc4368833278e0cf2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
315e37826e431bec38376b6316f6f9a1

SHA1
f166ce1e257bc610c70b42443889acd9f43df8af

SHA256
bbd88547a13003734671834e17c12fdab4778e6d3afb4ef4d4c9c3453ec5da22

SHA512
8de7a1ed8636d72697f15de95c255dd68273c19993540a954b752490cd39db4d66383b9863ffadeb0256ef93d96db1f267140ef9d5c34c1bc549584a258b715d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
906ae2b1bbf05f333e46e2fea18b7d38

SHA1
7f417529a8d440840a7e60538aa65109161af68a

SHA256
9d940fc20cb9b269be18e39637124a7549f3d6ee5cd53e0f99a4c914057297fb

SHA512
a78e94e7b13da4cc5c369d3f63e874aa0174799e40106c342933ee4a78bfe68e11b3966588823fbe319fc16e37eb1b26a5bd0c16c0dc3b04ceab7c51d866d9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
ff5465d5f2f410785dcdf6f87dd84eac

SHA1
0fd183a3dce178b083f66f840343a832ced32933

SHA256
a170007fe3846165362fbaf736119758b3d1de57a7e0c10693c39a3befa34288

SHA512
0993d9e681e5009a37d7322287907ce237cca37229779d15f4fc34bd75ba5e997cfa3beb7e583875053e018a3f2aefe427986fe72466e2ac5d07efee565bee3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
439c791410d3f3fe62fa77f5392d0f0b

SHA1
1a49a72c180c7d7ec4b105ff8f641701e5316fc8

SHA256
71e7abfbe6d67301c84e5566ee3cf2d86debb09a9a78b4ce2c62ddc01fe32335

SHA512
a9f153df40cc922756d736ad6dca6ed7c613358317121d998e663941521498130be16c9d69ba772cbe01daee748943a0487ddc36cf8b6fce85a84ecd4c5017ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
951b8276089473737f49ed81eb3e2580

SHA1
51ae80b834ebcc7316cd3f8afe7264cc12229514

SHA256
a3e075ba54beff2f641529444592aa847c274746bee049242e78e86dfe75237f

SHA512
b725e249bfb017513313336d1999168907db5b24af27154092e4c71a764a2114ad66ea8641881227641784bc57162594e1e31607332ed1dc5b8dc24fafb51589

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-268080393-3149932598-1824759070-1000\699c4b9cdebca7aaea5193cae8a50098_84f733b4-eea8-4063-a7fc-81d3a2fcb37c
Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\Users\Admin\AppData\Local\Temp\mplus1.exe
Filesize
384KB

MD5
9074667569151519e8fb02ab9e90146a

SHA1
ca5b3f49aa208166f50f2ce3fcd670b58cde8656

SHA256
011df7dd445b2c5ad26dd6db71541e18d3ce95335457137b83c34f6a2e9ac085

SHA512
5ec6f7322d040c3eada80210a921b5ae956dca433a328b7b6dc5b44fd7f6801f43ef8167d8b206becd40fd084be691558c7b5b4eadcd9f0f56e6530b511bccdd

Download Submit
memory/344-77039-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1284-84434-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1284-83493-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1284-83489-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1284-83508-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1284-83491-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1284-83501-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1284-83495-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1284-83496-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1284-83507-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/88144-167654-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download