cybergate | f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9

Analysis

max time kernel
152s
max time network
169s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
Size

281KB
MD5

34cc1d20e22310220b73994c25eaa954
SHA1

e14dde246b82f989f9aab8010393a213a399c470
SHA256

f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9
SHA512

32385ffc1ac4becd5e53dab55123ebd564dee4204b78275e8a1ed3e66c0d052029fa6629dc5a7cdf4cdfd4ef517f46a073e92e01d6eb1489f4032f4b56be6655
SSDEEP

6144:uVNR1nOabwU+pMtSprmPdrCZUF4tj/xENa7O94TD4yMG:mD1Oab++tSmwZRtj/xEN94wy7

Score

10^/10

cybergate new-p2p-110425 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

NEW-P2P-110425

teddypoisonwide.no-ip.org:2050

127.0.0.1:2050

Mutex

R4EJ8HN82UXK10

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
csrss.exe
install_dir
System
install_file
mplay32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
hedge
regkey_hkcu
Multimedia Manager

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\System\\mplay32.exe"	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\System\\mplay32.exe"	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe

Executes dropped EXE 2 IoCs

pid	Process
908	mplay32.exe
1920	mplay32.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1812-105-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/1812-109-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/1812-110-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/1812-107-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/1812-106-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/1812-113-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/1812-115-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/1812-114-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/1812-111-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/1812-117-0x0000000000340000-0x0000000000387000-memory.dmp	upx
behavioral1/memory/860-28943-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/860-28947-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1696-28965-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/860-28979-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/296-28981-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1696-33467-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/296-34662-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1920-57881-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
296	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
296	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Manager = "C:\\Users\\Admin\\AppData\\Roaming\\System\\mplay32.exe"	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 860	1812	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	28
PID 908 set thread context of 1920	908	mplay32.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
296	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1696	explorer.exe
Token: SeRestorePrivilege	1696	explorer.exe
Token: SeBackupPrivilege	296	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
Token: SeRestorePrivilege	296	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
Token: SeDebugPrivilege	296	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
Token: SeDebugPrivilege	296	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 860	1812	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	28
PID 1812 wrote to memory of 860	1812	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	28
PID 1812 wrote to memory of 860	1812	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	28
PID 1812 wrote to memory of 860	1812	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	28
PID 1812 wrote to memory of 860	1812	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	28
PID 1812 wrote to memory of 860	1812	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	28
PID 1812 wrote to memory of 860	1812	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	28
PID 1812 wrote to memory of 860	1812	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	28
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17
PID 860 wrote to memory of 1244	860	f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
  "C:\Users\Admin\AppData\Local\Temp\f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
    "C:\Users\Admin\AppData\Local\Temp\f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe"
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:632
  - - C:\Users\Admin\AppData\Local\Temp\f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe
      "C:\Users\Admin\AppData\Local\Temp\f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:296
    - - C:\Users\Admin\AppData\Roaming\System\mplay32.exe
        
        "C:\Users\Admin\AppData\Roaming\System\mplay32.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:908
      - C:\Users\Admin\AppData\Roaming\System\mplay32.exe
        
        "C:\Users\Admin\AppData\Roaming\System\mplay32.exe"
        6⤵
        Executes dropped EXE
        
        PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
ccdbb3a838ccf6829738e4e1d734752e

SHA1
c2864a17dc0aa344c6f95b0fc5d199fdaaccab7a

SHA256
e4f8e67a13763bc79d9c4131b76837d9261b9dba6a5ca3566461f77742271a71

SHA512
c6ee357190c0d86b7978dbf023806168297fd574f23d7530e63127367c03244d38192ab2e0aeec1e7a965a9859edc67a9c2d4c06fc2005d89bc33ca235629671

Download Submit
C:\Users\Admin\AppData\Roaming\System\mplay32.exe

Filesize
281KB

MD5
34cc1d20e22310220b73994c25eaa954

SHA1
e14dde246b82f989f9aab8010393a213a399c470

SHA256
f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9

SHA512
32385ffc1ac4becd5e53dab55123ebd564dee4204b78275e8a1ed3e66c0d052029fa6629dc5a7cdf4cdfd4ef517f46a073e92e01d6eb1489f4032f4b56be6655

Download Submit
C:\Users\Admin\AppData\Roaming\System\mplay32.exe

Filesize
281KB

MD5
34cc1d20e22310220b73994c25eaa954

SHA1
e14dde246b82f989f9aab8010393a213a399c470

SHA256
f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9

SHA512
32385ffc1ac4becd5e53dab55123ebd564dee4204b78275e8a1ed3e66c0d052029fa6629dc5a7cdf4cdfd4ef517f46a073e92e01d6eb1489f4032f4b56be6655

Download Submit
C:\Users\Admin\AppData\Roaming\System\mplay32.exe

Filesize
281KB

MD5
34cc1d20e22310220b73994c25eaa954

SHA1
e14dde246b82f989f9aab8010393a213a399c470

SHA256
f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9

SHA512
32385ffc1ac4becd5e53dab55123ebd564dee4204b78275e8a1ed3e66c0d052029fa6629dc5a7cdf4cdfd4ef517f46a073e92e01d6eb1489f4032f4b56be6655

Download Submit
\Users\Admin\AppData\Roaming\System\mplay32.exe

Filesize
281KB

MD5
34cc1d20e22310220b73994c25eaa954

SHA1
e14dde246b82f989f9aab8010393a213a399c470

SHA256
f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9

SHA512
32385ffc1ac4becd5e53dab55123ebd564dee4204b78275e8a1ed3e66c0d052029fa6629dc5a7cdf4cdfd4ef517f46a073e92e01d6eb1489f4032f4b56be6655

Download Submit
\Users\Admin\AppData\Roaming\System\mplay32.exe

Filesize
281KB

MD5
34cc1d20e22310220b73994c25eaa954

SHA1
e14dde246b82f989f9aab8010393a213a399c470

SHA256
f15135de1e31e302b74253c3d3a4328fb9f443d8905330cc1da749f459add2c9

SHA512
32385ffc1ac4becd5e53dab55123ebd564dee4204b78275e8a1ed3e66c0d052029fa6629dc5a7cdf4cdfd4ef517f46a073e92e01d6eb1489f4032f4b56be6655

Download Submit
memory/296-28981-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/296-34662-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/860-28979-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/860-28947-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/860-28943-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1696-33467-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1696-28965-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1812-85-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-117-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-86-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-93-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-92-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-91-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-90-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-94-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-100-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-105-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-99-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-109-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-110-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-107-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-106-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-113-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-115-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-114-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-111-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-87-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-89-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-88-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-84-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-56-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-80-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-81-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-83-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-82-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-66-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-65-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-64-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-63-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-62-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-61-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-54-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-55-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1812-57-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1920-57881-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download