cybergate | 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
Size

670KB
MD5

b0077bd93b27299296cd18dd55ba1274
SHA1

c5d5fa40ecef24140b9b04cb2f81326bb55cb710
SHA256

2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87
SHA512

02d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500
SSDEEP

12288:Jqg8d2RDvCYiJwa5FO7AnlxkqP03tbOY7ranR5/rieemCT3rrB96:og8lvvlxhMdbr7KR5TieBCjBA

Score

10^/10

cybergate tencent evasion persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Tencent

symeon3melrich.no-ip.org:45010

danielclaudede.dyndns.org:13889

murazawahara.no-ip.info:7070

Mutex

4F65LA3N53DH5P

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
ZBj2

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Executes dropped EXE 1 IoCs

pid	Process
1512	QTTask.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1656-96-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1992-102-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1992-105-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1992-108-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QuickTime Task = "C:\\Program Files (x86)\\Quicktime\\QTTask.exe"	QTTask.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QTTask.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 1656	1512	QTTask.exe	35

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Quicktime\QTTask.exe	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
File opened for modification	C:\Program Files (x86)\Quicktime\QTTask.exe	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
1512	QTTask.exe
1512	QTTask.exe
1512	QTTask.exe
1512	QTTask.exe
1512	QTTask.exe
1512	QTTask.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
Token: SeDebugPrivilege	1512	QTTask.exe
Token: SeBackupPrivilege	1992	vbc.exe
Token: SeRestorePrivilege	1992	vbc.exe
Token: SeDebugPrivilege	1992	vbc.exe
Token: SeDebugPrivilege	1992	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2012	1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	27
PID 1128 wrote to memory of 2012	1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	27
PID 1128 wrote to memory of 2012	1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	27
PID 1128 wrote to memory of 2012	1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	27
PID 2012 wrote to memory of 940	2012	vbc.exe	29
PID 2012 wrote to memory of 940	2012	vbc.exe	29
PID 2012 wrote to memory of 940	2012	vbc.exe	29
PID 2012 wrote to memory of 940	2012	vbc.exe	29
PID 1128 wrote to memory of 1512	1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	31
PID 1128 wrote to memory of 1512	1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	31
PID 1128 wrote to memory of 1512	1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	31
PID 1128 wrote to memory of 1512	1128	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	31
PID 1512 wrote to memory of 788	1512	QTTask.exe	32
PID 1512 wrote to memory of 788	1512	QTTask.exe	32
PID 1512 wrote to memory of 788	1512	QTTask.exe	32
PID 1512 wrote to memory of 788	1512	QTTask.exe	32
PID 788 wrote to memory of 1556	788	vbc.exe	34
PID 788 wrote to memory of 1556	788	vbc.exe	34
PID 788 wrote to memory of 1556	788	vbc.exe	34
PID 788 wrote to memory of 1556	788	vbc.exe	34
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1512 wrote to memory of 1656	1512	QTTask.exe	35
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36
PID 1656 wrote to memory of 1992	1656	vbc.exe	36

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0"	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0"	QTTask.exe

C:\Users\Admin\AppData\Local\Temp\2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
"C:\Users\Admin\AppData\Local\Temp\2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ulq-idlq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EA9.tmp"
    3⤵
    PID:940
- C:\Program Files (x86)\Quicktime\QTTask.exe
  "C:\Program Files (x86)\Quicktime\QTTask.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1512
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4bnzzioe.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24E0.tmp"
      4⤵
      PID:1556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1992
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        
        PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Quicktime\QTTask.exe

Filesize
670KB

MD5
b0077bd93b27299296cd18dd55ba1274

SHA1
c5d5fa40ecef24140b9b04cb2f81326bb55cb710

SHA256
2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87

SHA512
02d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500

Download Submit
C:\Program Files (x86)\Quicktime\QTTask.exe

Filesize
670KB

MD5
b0077bd93b27299296cd18dd55ba1274

SHA1
c5d5fa40ecef24140b9b04cb2f81326bb55cb710

SHA256
2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87

SHA512
02d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bnzzioe.0.vb

Filesize
495KB

MD5
7e5f8efa69eb9cc7aad9bcb260a3aa6e

SHA1
736845afa1f7c721fef72ba8e90bb3148dda4fd3

SHA256
bd695709c27bfc8eb641fc76b3388665e1e77151563a1eeebe82a3671787b169

SHA512
9ac8394dc7b6f36fb264f4e0116935ff39eed9da7e4ab73d2f2f97891d9d91dc8c02ae09e6a6488a16690c3bfdd6b2361f9cb43e1da66b9291c34b2bda2d0566

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bnzzioe.cmdline

Filesize
276B

MD5
0cc9dc57d595e8e52aae58c85d49d09d

SHA1
7eace804adc9557f086830c008ae6b31593b9f6e

SHA256
8fb32b45a22a002a6796bbed858e54ff5f18c3003c9341920d87f98b7378ec09

SHA512
a4a3be0aba32e2efab9d5d6053a997d933422454853e755197975c713c0d88cab77e87fd2fd88c3093ef657532a0c3a94d4525484050cc520a45f7be2289bb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bnzzioe.dll

Filesize
828KB

MD5
21647ff67d4bbc17d6eebe35d6920e95

SHA1
162c4644b6ae0012e343641a3b57cb96125fecd7

SHA256
f968ff986d220a185513cfa22218cbe57db3673e0b0adb95f5d4083876d911ad

SHA512
5efd88c9cedacb1b3a1ef95f0ec698dabb78bf473b6975eaab41163839bcda11c07643268ab47bd4e50272bb432eb68635de1c910909a14af2b32aa04974a8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
808875e359b28814b60dea4ea691903d

SHA1
396c48f1346c1fe954a2225f22d8e79ab2cb72a3

SHA256
4f896bc5cb22c597ceea4d554a970a6696361df57bb06e01b55f77403fdf1868

SHA512
b0d3bc9eb03cac4d779ce305aacbcc4b4f383560ebc81115552ddc88d9cf0237c42655b518fe79d81079a6e4720884d14c2ffc4e8212f26eb647901172e52f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1EB9.tmp

Filesize
1KB

MD5
5bf8ef842905b1a851800129f5a8a18d

SHA1
47fd3877959e80416bae613836689994c27f6b14

SHA256
4a7a1aad0d49020e79b1146e9496dc283ec0ed1530c7bdaffdea5df6ff3bdef3

SHA512
d2b4568e39fde32d2d7ddf95331f45af4411b7f333069f68cd208d1d4b3e0c430d2e53c7496e54c592cba156ab81c6367e76f0621e6ed4f572c75b5eb624df6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES24F0.tmp

Filesize
1KB

MD5
5c16dd173ed2b11768506e587ea91c83

SHA1
380839679399cdda3135b2acba23a739f230fbc1

SHA256
9b4c18665ba25a4169934ac94dc72e15ac60fc6f468d51071a440c6d00f16110

SHA512
de4236de7af88e1e36502b419a990709a9208e0e66494ad472db5e39f96583876f823efc61df06170d94e1da96b90588267dac5a6cf216da25619a809115b469

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulq-idlq.0.vb

Filesize
495KB

MD5
7e5f8efa69eb9cc7aad9bcb260a3aa6e

SHA1
736845afa1f7c721fef72ba8e90bb3148dda4fd3

SHA256
bd695709c27bfc8eb641fc76b3388665e1e77151563a1eeebe82a3671787b169

SHA512
9ac8394dc7b6f36fb264f4e0116935ff39eed9da7e4ab73d2f2f97891d9d91dc8c02ae09e6a6488a16690c3bfdd6b2361f9cb43e1da66b9291c34b2bda2d0566

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulq-idlq.cmdline

Filesize
276B

MD5
20f8cc6ec3aef1c1dbb7ba74305c49da

SHA1
f071b4a91183cceb991c2a53a24eee71a5164613

SHA256
0cb1649bff702bb3d3055178d709b879db8d482c72bb6b26dbc53674034b6910

SHA512
1f72a20a6da8a84f3e72883c8b196bedecf33ed8c276f565c37f19e711ec5c909b4288fbd38ab1fcfed137cda61e769c004c984e8d0e8e9b50042b99c68a9654

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulq-idlq.dll

Filesize
828KB

MD5
17e43d393c8d35f0c7e048d33b7375dd

SHA1
2af608a8c494a4cad8ecea5aa532be700f480673

SHA256
84590ba2ec174764d0c58029a6c4fb4b9970790f1f0e0dfa8c67a1c3f1b2cbf3

SHA512
b38a8a1c21c28b5837b1f4a0dd1e4d3ec1bf77c7f4c8cebd0c34eb00ba0e959e7a0fb0bf3291306061f43ac97da717105d0b5c22ae3525bd3325226976486095

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1EA9.tmp

Filesize
652B

MD5
1d3e212789a4f0d8fecca7618325c975

SHA1
3577389009237c5a7eed3e0f3ac965fe8fcf08e1

SHA256
075a6368434af7b75c3b2ab02bd11b5aaee4be846234d466d07ed30d8590b4a2

SHA512
f7370b432aa77c345776bc06a2d0adc6477d0cb8b3ff84a0dc672ecf6669f7107706674028e46b111564a2ca34672f14b26a711bffc16e5ea4a00a53f6e30f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc24E0.tmp

Filesize
652B

MD5
d853aedbf23fbe2aa294f219fc6c988c

SHA1
567a5b06e303de9a89fb19aad22880509962dee7

SHA256
73d89fd55a7ed88113f904f9ce3ce512071b872086d534fc75e0efae9dc06a4d

SHA512
35f9887ad62b056113055d5d9327d5fb47358190d9b96f6fed70e4b1d3875416ca3330b49d0b90c5c6c344d083e25a4007e4780378dafc7838cae0ba02cd8622

Download Submit
\Program Files (x86)\Quicktime\QTTask.exe

Filesize
670KB

MD5
b0077bd93b27299296cd18dd55ba1274

SHA1
c5d5fa40ecef24140b9b04cb2f81326bb55cb710

SHA256
2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87

SHA512
02d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500

Download Submit
\Program Files (x86)\Quicktime\QTTask.exe

Filesize
670KB

MD5
b0077bd93b27299296cd18dd55ba1274

SHA1
c5d5fa40ecef24140b9b04cb2f81326bb55cb710

SHA256
2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87

SHA512
02d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500

Download Submit
memory/1128-62-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1128-106-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1128-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1512-88-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1512-107-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1512-89-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-96-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1656-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-85-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-87-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-91-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-92-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-82-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1656-101-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1992-102-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1992-99-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1992-105-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1992-108-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download