cybergate | 30f2f7928458acfc9279e1fd6c48d3f32e3270fdb9e7c6874927c68e49be9956

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Size

556KB
MD5

0c6f4351213706ab60578e561e602270
SHA1

6a7c53a04a8af1858fcbb6c5e49fc75fe028c694
SHA256

30f2f7928458acfc9279e1fd6c48d3f32e3270fdb9e7c6874927c68e49be9956
SHA512

1aaa3e11982db3be08a6582c286199b30c6d661ea9903fa9a9009842d0f69d9e03e5509f40bed9e2bdbd820316637aeedf0cd043fb07d640243b935a3243b065
SSDEEP

6144:IHrMZRQbcj/78JCHAolxf3hxAQJ8+Vr7YcFvxPgEXmjDY7gU+JsoecDM5NDFn:IHgZREcfXRXhqQbVfYc5PRuxeoesM5T

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

127.0.0.1:81

pp-p.no-ip.org:81

Mutex

Realtek

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Realtek
install_file
Realtek_up.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
LEON
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Realtek\\Realtek_up.exe"	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Realtek\\Realtek_up.exe"	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{88NPV13H-B877-Y57V-DV1W-7CD8KOJ1D8GW}	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88NPV13H-B877-Y57V-DV1W-7CD8KOJ1D8GW}\StubPath = "C:\\Program Files (x86)\\Realtek\\Realtek_up.exe Restart"	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{88NPV13H-B877-Y57V-DV1W-7CD8KOJ1D8GW}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88NPV13H-B877-Y57V-DV1W-7CD8KOJ1D8GW}\StubPath = "C:\\Program Files (x86)\\Realtek\\Realtek_up.exe"	explorer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4480-9-0x0000000024010000-0x0000000024052000-memory.dmp	upx
behavioral2/memory/4480-12-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral2/memory/4480-60-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral2/memory/3104-64-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral2/memory/3104-65-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral2/memory/4480-72-0x0000000024100000-0x0000000024142000-memory.dmp	upx
behavioral2/memory/4480-69-0x00000000240B0000-0x00000000240F2000-memory.dmp	upx
behavioral2/memory/2936-125-0x0000000024100000-0x0000000024142000-memory.dmp	upx
behavioral2/memory/3104-166-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral2/memory/2936-175-0x0000000024100000-0x0000000024142000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Realtek\\Realtek_up.exe"	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Realtek\\Realtek_up.exe"	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

description pid process target process

PID 3868 set thread context of 4480 3868 0c6f4351213706ab60578e561e602270_JaffaCakes118.exe 0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

description	pid	process	target process
PID 3868 set thread context of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Realtek\Realtek_up.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Realtek\Realtek_up.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Realtek\Realtek_up.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Realtek\	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

pid process

2936 0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2936 0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Token: SeDebugPrivilege 2936 0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

pid process

4480 0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

pid process

3868 0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

pid	process
2936	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2936	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
Token: SeDebugPrivilege	2936	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

pid	process
4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

pid	process
3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0c6f4351213706ab60578e561e602270_JaffaCakes118.exe0c6f4351213706ab60578e561e602270_JaffaCakes118.exe

description	pid	process	target process
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 3868 wrote to memory of 4480	3868	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE
PID 4480 wrote to memory of 3384	4480	0c6f4351213706ab60578e561e602270_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c6f4351213706ab60578e561e602270_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868

C:\Users\Admin\AppData\Local\Temp\0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c6f4351213706ab60578e561e602270_JaffaCakes118.exe"
3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3104

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\0c6f4351213706ab60578e561e602270_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c6f4351213706ab60578e561e602270_JaffaCakes118.exe"
4⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Realtek\Realtek_up.exe
Filesize
556KB

MD5
0c6f4351213706ab60578e561e602270

SHA1
6a7c53a04a8af1858fcbb6c5e49fc75fe028c694

SHA256
30f2f7928458acfc9279e1fd6c48d3f32e3270fdb9e7c6874927c68e49be9956

SHA512
1aaa3e11982db3be08a6582c286199b30c6d661ea9903fa9a9009842d0f69d9e03e5509f40bed9e2bdbd820316637aeedf0cd043fb07d640243b935a3243b065

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuU.uUu
Filesize
8B

MD5
57d4d72d440776aefea9be42a05c111c

SHA1
81657d48c6e9851fdb116f8f184b8d715b439772

SHA256
6f6e7f8cf39b75b25ed8013256e74b1e88480d8252d4dcddda19b5869e09eb98

SHA512
08f248872ad7ab842f5073f450028f31df0489b667ea13878eb3ec3fe1e423363e1fb81b1ba68f8f8e837fa6e087b5acb111db78d347c17d2eb38134f3805afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
189KB

MD5
f1a68c11825ff33f9a61d62b94078677

SHA1
a25adabb395bdb9d50fec203e6851cdbc8fa83a2

SHA256
e54bf567c29af4d720ef48dded25239edb67aaf44006610fac3064231a3ec1ae

SHA512
e5ed0d87524d94f609549dd841e385107bbebc668aba3cb071566b2ce94fefd3c3673288c732d21e792d5b1c02d1530963191639bacaa60a97dfefbf06cd8d6b

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
4362e21af8686f5ebba224768d292a5b

SHA1
504510a4d10e230dcd1605ab3342525b38a10933

SHA256
b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3

SHA512
f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

Download Submit
memory/2936-175-0x0000000024100000-0x0000000024142000-memory.dmp

Filesize
264KB

Download
memory/2936-125-0x0000000024100000-0x0000000024142000-memory.dmp

Filesize
264KB

Download
memory/3104-64-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/3104-13-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/3104-166-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/3104-63-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/3104-14-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/3104-65-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/4480-2-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4480-12-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/4480-72-0x0000000024100000-0x0000000024142000-memory.dmp

Filesize
264KB

Download
memory/4480-69-0x00000000240B0000-0x00000000240F2000-memory.dmp

Filesize
264KB

Download
memory/4480-9-0x0000000024010000-0x0000000024052000-memory.dmp

Filesize
264KB

Download
memory/4480-132-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4480-5-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4480-4-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4480-60-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/4480-3-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download