cybergate | 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
Size

670KB
MD5

b0077bd93b27299296cd18dd55ba1274
SHA1

c5d5fa40ecef24140b9b04cb2f81326bb55cb710
SHA256

2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87
SHA512

02d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500
SSDEEP

12288:Jqg8d2RDvCYiJwa5FO7AnlxkqP03tbOY7ranR5/rieemCT3rrB96:og8lvvlxhMdbr7KR5TieBCjBA

Score

10^/10

cybergate tencent evasion persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Tencent

symeon3melrich.no-ip.org:45010

danielclaudede.dyndns.org:13889

murazawahara.no-ip.info:7070

Mutex

4F65LA3N53DH5P

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
ZBj2

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Executes dropped EXE 1 IoCs

pid	Process
3996	QTTask.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3648-157-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4812-160-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4812-163-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4812-166-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QuickTime Task = "C:\\Program Files (x86)\\Quicktime\\QTTask.exe"	QTTask.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QTTask.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3996 set thread context of 3648	3996	QTTask.exe	90

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Quicktime\QTTask.exe	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
File opened for modification	C:\Program Files (x86)\Quicktime\QTTask.exe	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1720	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
1720	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
3996	QTTask.exe
3996	QTTask.exe
3996	QTTask.exe
3996	QTTask.exe
3996	QTTask.exe
3996	QTTask.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
Token: SeDebugPrivilege	3996	QTTask.exe
Token: SeBackupPrivilege	4812	vbc.exe
Token: SeRestorePrivilege	4812	vbc.exe
Token: SeDebugPrivilege	4812	vbc.exe
Token: SeDebugPrivilege	4812	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 4752	1720	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	83
PID 1720 wrote to memory of 4752	1720	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	83
PID 1720 wrote to memory of 4752	1720	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	83
PID 4752 wrote to memory of 2416	4752	vbc.exe	85
PID 4752 wrote to memory of 2416	4752	vbc.exe	85
PID 4752 wrote to memory of 2416	4752	vbc.exe	85
PID 1720 wrote to memory of 3996	1720	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	86
PID 1720 wrote to memory of 3996	1720	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	86
PID 1720 wrote to memory of 3996	1720	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe	86
PID 3996 wrote to memory of 3536	3996	QTTask.exe	87
PID 3996 wrote to memory of 3536	3996	QTTask.exe	87
PID 3996 wrote to memory of 3536	3996	QTTask.exe	87
PID 3536 wrote to memory of 3820	3536	vbc.exe	89
PID 3536 wrote to memory of 3820	3536	vbc.exe	89
PID 3536 wrote to memory of 3820	3536	vbc.exe	89
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3996 wrote to memory of 3648	3996	QTTask.exe	90
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91
PID 3648 wrote to memory of 4812	3648	vbc.exe	91

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0"	QTTask.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0"	2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe

C:\Users\Admin\AppData\Local\Temp\2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
"C:\Users\Admin\AppData\Local\Temp\2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7n-xaa9i.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAED4A4FE88934726AAD1427DBF9BF44.TMP"
    3⤵
    PID:2416
- C:\Program Files (x86)\Quicktime\QTTask.exe
  "C:\Program Files (x86)\Quicktime\QTTask.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eqkqrbfa.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB441.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43B1886B9F9D452C87BDDFDB70D95835.TMP"
      4⤵
      PID:3820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4812
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        
        PID:2280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Quicktime\QTTask.exe

Filesize
670KB

MD5
b0077bd93b27299296cd18dd55ba1274

SHA1
c5d5fa40ecef24140b9b04cb2f81326bb55cb710

SHA256
2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87

SHA512
02d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500

Download Submit
C:\Program Files (x86)\Quicktime\QTTask.exe

Filesize
670KB

MD5
b0077bd93b27299296cd18dd55ba1274

SHA1
c5d5fa40ecef24140b9b04cb2f81326bb55cb710

SHA256
2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87

SHA512
02d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\7n-xaa9i.0.vb

Filesize
495KB

MD5
7e5f8efa69eb9cc7aad9bcb260a3aa6e

SHA1
736845afa1f7c721fef72ba8e90bb3148dda4fd3

SHA256
bd695709c27bfc8eb641fc76b3388665e1e77151563a1eeebe82a3671787b169

SHA512
9ac8394dc7b6f36fb264f4e0116935ff39eed9da7e4ab73d2f2f97891d9d91dc8c02ae09e6a6488a16690c3bfdd6b2361f9cb43e1da66b9291c34b2bda2d0566

Download Submit
C:\Users\Admin\AppData\Local\Temp\7n-xaa9i.cmdline

Filesize
276B

MD5
c1688c7af34a0882e0856b88ceff37e0

SHA1
44cc3c54135ce4655bc8393a2be880a7527cba5b

SHA256
25e1b4a1594ac2307f8136b8ddcf94f9500ddd70150457e716a64c7e96c811e2

SHA512
385ba8bd32da6f1c197c729375fa841abf7de7d5822fc39bdc3818efd4ace66bb534353ca28935225fd75f938973c0a5df48edb42846ac2a4e7438d1d7fb8303

Download Submit
C:\Users\Admin\AppData\Local\Temp\7n-xaa9i.dll

Filesize
828KB

MD5
ba7c8eb2da6d5fe83bf38ad12317471f

SHA1
5bfcbb7276d77ca207c381ff99efb300aebfbb30

SHA256
186b376cedd22b4c6150d4d31ac30cdbfa95b7ed5f07d5435a54438cf615725e

SHA512
dd24f9df44db29bb6fa8dc05eb0917eefc40b02b8ffc0b681f03f49867b301ecfd18c788fce74e4062cde205bdf9296cafd431e87eb5696c583a32f2023d934e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
808875e359b28814b60dea4ea691903d

SHA1
396c48f1346c1fe954a2225f22d8e79ab2cb72a3

SHA256
4f896bc5cb22c597ceea4d554a970a6696361df57bb06e01b55f77403fdf1868

SHA512
b0d3bc9eb03cac4d779ce305aacbcc4b4f383560ebc81115552ddc88d9cf0237c42655b518fe79d81079a6e4720884d14c2ffc4e8212f26eb647901172e52f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF8E.tmp

Filesize
1KB

MD5
b62ae3742deda407b7080d40b6968557

SHA1
f38b72fe718d2db8a81b640fe6b67533e6cdb128

SHA256
f9295655c3feab7049d80f6e2a2785ac6581998d3847bbb9316681f5e0299c42

SHA512
6d687c63b5739545a204f1c1b90716c9d2f2c42027032a8ad805781e11bfd4374352531458db41f3cd478eafa3e32c804ad391f511ba142aa46028be1e60ebd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB441.tmp

Filesize
1KB

MD5
e39476e85a73658151cb7727da96ff90

SHA1
68e9fae9917083de332f763ff44c6f7fa4ece7d2

SHA256
694ec29edba83fe94f0a9e338fb988769bf297eaf14fe99a510dfb0c1fc5c7cf

SHA512
337e2ea4d536daaca7dbc7f0a8faa7c9009dc2d9e0ba033d75d50e190668043d16002937c7b8a91bc97cb4cc98e2275b73fb1101f134534bf00c39b062fb7381

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqkqrbfa.0.vb

Filesize
495KB

MD5
7e5f8efa69eb9cc7aad9bcb260a3aa6e

SHA1
736845afa1f7c721fef72ba8e90bb3148dda4fd3

SHA256
bd695709c27bfc8eb641fc76b3388665e1e77151563a1eeebe82a3671787b169

SHA512
9ac8394dc7b6f36fb264f4e0116935ff39eed9da7e4ab73d2f2f97891d9d91dc8c02ae09e6a6488a16690c3bfdd6b2361f9cb43e1da66b9291c34b2bda2d0566

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqkqrbfa.cmdline

Filesize
276B

MD5
267141b5c1f3839597bc683968ea780c

SHA1
5df1ee9922a4487ae210e7a4ce88ad0b8882df7d

SHA256
07e514dc21187b4ce1024383367661d67e5681149aede5c8e1e0c6e7e6ae2ed5

SHA512
19411fcd2904e67d8a39c7898495ea3c0fb2895873f83551ef088f6e2daac3c500ac0d0804d53fff40c1ec5f2639f9ae91bbe5ff0da8a842bbf39794e886aa58

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqkqrbfa.dll

Filesize
828KB

MD5
6a0bb1d63ad481d719ec5d9526d7fae1

SHA1
a5e3e3905f815338f077c7d1bc01d631ebc27580

SHA256
e7f5ebac8cca5dbea4ce5a73cc993c29c8f262d13325962c4b4d5f70b82a2cd1

SHA512
fb72806916dde1811e0eae8b15eba7b3f04b55d5dedc2f6045378630674fef254e3cdb6d65a333faa5f4b4004cd7d14b422a8bc05d2d764d84be53eb22a3aa04

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc43B1886B9F9D452C87BDDFDB70D95835.TMP

Filesize
652B

MD5
fbee103de495fa60da31fa85defb441d

SHA1
cdaeb7ab0653b0595a80a959b48719fad82454a1

SHA256
6759f99a2e83b25631c49cfd56d2e5309607643aa1b76fefb63a2f9bf2633e2e

SHA512
17e68ab72537a3ea21964b4ea4394b9105470bb5e3b0a2bf6bfcbec070229f7c63d7575b83df4510d38b1932040fb3eb427c18f5197b08b915b20870164e847c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAED4A4FE88934726AAD1427DBF9BF44.TMP

Filesize
652B

MD5
342e9aa19cb14cc56000fe4aaba1c4df

SHA1
1eab2429c2036b07fe5bac5a824ceaca30a4758c

SHA256
bc3774bff36abf724ba94715c7706b35f7f7b52ebcbe31208d46018a3e92ea71

SHA512
4948f981094b47a9a40e49b851f7da4c29517aef34e8e20f482280ac52d02900b8b401aff5ac5bcd866414838b0db9e235191f61ddf122b59bc95f310c62b920

Download Submit
memory/1720-132-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/1720-164-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2280-162-0x0000000000000000-mapping.dmp

Download
memory/2416-136-0x0000000000000000-mapping.dmp

Download
memory/3536-143-0x0000000000000000-mapping.dmp

Download
memory/3648-157-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3648-152-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3648-153-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3648-154-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3648-151-0x0000000000000000-mapping.dmp

Download
memory/3820-146-0x0000000000000000-mapping.dmp

Download
memory/3996-165-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3996-150-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3996-140-0x0000000000000000-mapping.dmp

Download
memory/4752-133-0x0000000000000000-mapping.dmp

Download
memory/4812-160-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4812-163-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4812-156-0x0000000000000000-mapping.dmp

Download
memory/4812-166-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download