cybergate | d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f

Analysis

max time kernel
150s
max time network
81s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
Size

399KB
MD5

5c7ee88e5b8e989a1a48e8005a14140e
SHA1

bd7e92e5b7420ee8a60174bdb163f43666df7186
SHA256

d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f
SHA512

fe242631236aedb5b694b21f490838bc223710cfe4b2b2f6ccc0889e3d3c90ce0e64d3fc6f42055211dafbce4eb695bee3ecdf8ed7ff5dd7f49f89f2e3936f65
SSDEEP

6144:+lBH/LMujtnvkp1TULQ2Ny84KUhyd6kaevYDGwlmfThxgaJYpPD0ThwkCl:e/LN583YY8ICaevKHlmfvfWpb0Tm

Score

10^/10

cybergate vpn persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

VPN

internet.game-host.org:1000

Mutex

CATF41T8B41W7C

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\VaultCmd.exe"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1768	VaultCmd.exe
2040	typeperf.exe
668	VaultCmd.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1396-57-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1396-59-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1396-60-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1396-64-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1396-65-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1396-67-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1396-76-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1868-81-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1868-83-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1396-85-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1868-95-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1808-109-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1808-110-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1768	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 1396	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	27
PID 2040 set thread context of 1808	2040	typeperf.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1768	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1768	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2040	typeperf.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2040	typeperf.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2040	typeperf.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2040	typeperf.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2040	typeperf.exe
668	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
668	VaultCmd.exe
2040	typeperf.exe
668	VaultCmd.exe
668	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
668	VaultCmd.exe
2040	typeperf.exe
668	VaultCmd.exe
668	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
668	VaultCmd.exe
2040	typeperf.exe
668	VaultCmd.exe
668	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
668	VaultCmd.exe
2040	typeperf.exe
668	VaultCmd.exe
668	VaultCmd.exe
668	VaultCmd.exe
1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
668	VaultCmd.exe
2040	typeperf.exe
668	VaultCmd.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
Token: SeDebugPrivilege	1768	VaultCmd.exe
Token: SeDebugPrivilege	1868	svchost.exe
Token: SeDebugPrivilege	1868	svchost.exe
Token: SeDebugPrivilege	2040	typeperf.exe
Token: SeDebugPrivilege	668	VaultCmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1396	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	27
PID 1956 wrote to memory of 1396	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	27
PID 1956 wrote to memory of 1396	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	27
PID 1956 wrote to memory of 1396	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	27
PID 1956 wrote to memory of 1396	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	27
PID 1956 wrote to memory of 1396	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	27
PID 1956 wrote to memory of 1396	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	27
PID 1956 wrote to memory of 1396	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	27
PID 1956 wrote to memory of 1768	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	28
PID 1956 wrote to memory of 1768	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	28
PID 1956 wrote to memory of 1768	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	28
PID 1956 wrote to memory of 1768	1956	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	28
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29
PID 1396 wrote to memory of 1868	1396	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
"C:\Users\Admin\AppData\Local\Temp\d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe
  "C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe" /f
    3⤵
    PID:884
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe" /f
      4⤵
      Modifies WinLogon for persistence
      PID:1924
- - C:\Users\Admin\AppData\Local\Temp\typeperf.exe
    "C:\Users\Admin\AppData\Local\Temp\typeperf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1808
- C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe
  "C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
234KB

MD5
6acacfadc7cc3fd33f03b6362c3cbdca

SHA1
4921fa960cbffa9da87cf193520ef4fa9a5ebdd4

SHA256
01ffe801459e62d7e792dc7ff9f949452650795b039994c74ad042dbf5cbaa38

SHA512
3ba4c3f94126aea0e8be9f7cdf4d1e8ca69d4906757a5433e154348ddd9534829b9b58f13c30e44f61df91ed9e09ffde5b744309dd6a4da54a721db7111d8539

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\typeperf.exe

Filesize
399KB

MD5
5c7ee88e5b8e989a1a48e8005a14140e

SHA1
bd7e92e5b7420ee8a60174bdb163f43666df7186

SHA256
d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f

SHA512
fe242631236aedb5b694b21f490838bc223710cfe4b2b2f6ccc0889e3d3c90ce0e64d3fc6f42055211dafbce4eb695bee3ecdf8ed7ff5dd7f49f89f2e3936f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\typeperf.exe

Filesize
399KB

MD5
5c7ee88e5b8e989a1a48e8005a14140e

SHA1
bd7e92e5b7420ee8a60174bdb163f43666df7186

SHA256
d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f

SHA512
fe242631236aedb5b694b21f490838bc223710cfe4b2b2f6ccc0889e3d3c90ce0e64d3fc6f42055211dafbce4eb695bee3ecdf8ed7ff5dd7f49f89f2e3936f65

Download Submit
\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
\Users\Admin\AppData\Local\Temp\typeperf.exe

Filesize
399KB

MD5
5c7ee88e5b8e989a1a48e8005a14140e

SHA1
bd7e92e5b7420ee8a60174bdb163f43666df7186

SHA256
d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f

SHA512
fe242631236aedb5b694b21f490838bc223710cfe4b2b2f6ccc0889e3d3c90ce0e64d3fc6f42055211dafbce4eb695bee3ecdf8ed7ff5dd7f49f89f2e3936f65

Download Submit
memory/668-108-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/668-111-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-60-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1396-67-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1396-65-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1396-76-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1396-64-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1396-59-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1396-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1396-56-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1396-85-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1768-94-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-96-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-82-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-109-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1808-110-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1868-95-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1868-81-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1868-79-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1868-83-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1956-66-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-107-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-93-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download