cybergate | 41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522

Analysis

max time kernel
187s
max time network
184s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
Size

304KB
MD5

6797a4601a94d2e000c14570e4126242
SHA1

91526536ca111d4e92e79a63846aa10bfd5afaa8
SHA256

41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522
SHA512

1bb5406086b5d53a6f4edc6a636607bd97fb920a7ff7a8525e502e289ee812eb1fe3e8e683c1bcef1a0c1cd73749d89e24ba6d569a2482daa90ab06cad04753c
SSDEEP

6144:CUDX4Im/321Cxk2t2BMZ1gNflDOEJAqHIZsSP+DeZtD3JaCpyljNXxLsV0:pq210YmqlOuLHwZJ5a4yrxLsV0

Score

10^/10

cybergate keylogger persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

keylogger

thegreatsun.no-ip.biz:101

Mutex

RC83D8G515R2XB

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
adobe
install_file
adobe.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\adobe\\adobe.exe"	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\adobe\\adobe.exe"	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe

Executes dropped EXE 2 IoCs

pid	Process
720	adobe.exe
1756	adobe.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E123ERQM-DBSG-U08G-W61A-ILX6GSWV310L}	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E123ERQM-DBSG-U08G-W61A-ILX6GSWV310L}\StubPath = "C:\\Program Files (x86)\\adobe\\adobe.exe Restart"	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E123ERQM-DBSG-U08G-W61A-ILX6GSWV310L}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E123ERQM-DBSG-U08G-W61A-ILX6GSWV310L}\StubPath = "C:\\Program Files (x86)\\adobe\\adobe.exe"	explorer.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-29791-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1036-29806-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1036-36647-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1036	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
1036	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 720 set thread context of 1756	720	adobe.exe	32

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\adobe\adobe.exe	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
File opened for modification	C:\Program Files (x86)\adobe\adobe.exe	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
File opened for modification	C:\Program Files (x86)\adobe\adobe.exe	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
File opened for modification	C:\Program Files (x86)\adobe\	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
1756	adobe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1036	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1996	explorer.exe
Token: SeRestorePrivilege	1996	explorer.exe
Token: SeBackupPrivilege	1036	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
Token: SeRestorePrivilege	1036	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
Token: SeDebugPrivilege	1036	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
Token: SeDebugPrivilege	1036	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1260 wrote to memory of 1732	1260	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	27
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20
PID 1732 wrote to memory of 1212	1732	41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
  "C:\Users\Admin\AppData\Local\Temp\41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
    "C:\Users\Admin\AppData\Local\Temp\41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe
      "C:\Users\Admin\AppData\Local\Temp\41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522.exe"
      4⤵
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1036
    - - C:\Program Files (x86)\adobe\adobe.exe
        
        "C:\Program Files (x86)\adobe\adobe.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:720
      - C:\Program Files (x86)\adobe\adobe.exe
        
        "C:\Program Files (x86)\adobe\adobe.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\adobe.exe

Filesize
304KB

MD5
6797a4601a94d2e000c14570e4126242

SHA1
91526536ca111d4e92e79a63846aa10bfd5afaa8

SHA256
41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522

SHA512
1bb5406086b5d53a6f4edc6a636607bd97fb920a7ff7a8525e502e289ee812eb1fe3e8e683c1bcef1a0c1cd73749d89e24ba6d569a2482daa90ab06cad04753c

Download Submit
C:\Program Files (x86)\Adobe\adobe.exe

Filesize
304KB

MD5
6797a4601a94d2e000c14570e4126242

SHA1
91526536ca111d4e92e79a63846aa10bfd5afaa8

SHA256
41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522

SHA512
1bb5406086b5d53a6f4edc6a636607bd97fb920a7ff7a8525e502e289ee812eb1fe3e8e683c1bcef1a0c1cd73749d89e24ba6d569a2482daa90ab06cad04753c

Download Submit
C:\Program Files (x86)\adobe\adobe.exe

Filesize
304KB

MD5
6797a4601a94d2e000c14570e4126242

SHA1
91526536ca111d4e92e79a63846aa10bfd5afaa8

SHA256
41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522

SHA512
1bb5406086b5d53a6f4edc6a636607bd97fb920a7ff7a8525e502e289ee812eb1fe3e8e683c1bcef1a0c1cd73749d89e24ba6d569a2482daa90ab06cad04753c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
a346bf4f0996eef3ac85aec9f6d58200

SHA1
30b27269d309f146ffc972a512401c2b4d716714

SHA256
1319322b83fca669aa1da37f7d4bd2f844809875262a3773853588b00b29591f

SHA512
5d72a27a2016a1577a106029966da9e13b31580026a44f6b6671ce53a54e656ac25ff1001a31a5e7ef3a17940b4184b09cf01f536e508b3ecfc2d8b71e3ef31f

Download Submit
\Program Files (x86)\Adobe\adobe.exe

Filesize
304KB

MD5
6797a4601a94d2e000c14570e4126242

SHA1
91526536ca111d4e92e79a63846aa10bfd5afaa8

SHA256
41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522

SHA512
1bb5406086b5d53a6f4edc6a636607bd97fb920a7ff7a8525e502e289ee812eb1fe3e8e683c1bcef1a0c1cd73749d89e24ba6d569a2482daa90ab06cad04753c

Download Submit
\Program Files (x86)\Adobe\adobe.exe

Filesize
304KB

MD5
6797a4601a94d2e000c14570e4126242

SHA1
91526536ca111d4e92e79a63846aa10bfd5afaa8

SHA256
41f728f85ff4a9fe2623858c66b079f6c277f599a033f46c866405ae3deba522

SHA512
1bb5406086b5d53a6f4edc6a636607bd97fb920a7ff7a8525e502e289ee812eb1fe3e8e683c1bcef1a0c1cd73749d89e24ba6d569a2482daa90ab06cad04753c

Download Submit
memory/1036-36647-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1036-29806-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1260-84-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-110-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-81-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-80-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-57-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-87-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-88-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-86-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-85-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-91-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-93-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-94-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-92-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-90-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-89-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-97-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-96-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-99-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-100-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-105-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-106-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-107-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-109-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-83-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-111-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-113-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-115-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-117-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-114-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-56-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-55-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-54-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-82-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-64-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-63-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-65-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-62-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-66-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1260-61-0x0000000000410000-0x000000000045D000-memory.dmp

Filesize
308KB

Download
memory/1732-29804-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-29772-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1756-59531-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1996-29791-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download