cybergate | 84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
Size

440KB
MD5

31dd3a5285d12a359039ddd7e3f3bab1
SHA1

e4340ea43c59b9ef9d537faddbd7ab0910b3f4ed
SHA256

84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e
SHA512

058a85156b11da947e7ad86f44260cbfe51e88c445ad6f155952a5fce7e1cd201cf17e99cdefb373861b7d71d48c768df11e59d5cde2d6448babbeec283cf77b
SSDEEP

6144:qVoynDCGxPeRyslt9QFJZFuyPKonFVZMa9AhKLxDkCY4J1mqyGW/0+VErb+42kP/:EDCGxPDsH9QFnFJ7Zx9TwqyG+CZj

Score

10^/10

cybergate cyber persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

Cyberjack.zapto.org:8499

Mutex

0J40358QU07X55

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe

Executes dropped EXE 2 IoCs

pid	Process
972	Svchost.exe
1120	Svchost.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7KKVD7DX-5181-8888-08BB-2825J3085E76}	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7KKVD7DX-5181-8888-08BB-2825J3085E76}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/940-70-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/940-79-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/520-85-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/520-91-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/520-109-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
520	explorer.exe
520	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 972 set thread context of 1120	972	Svchost.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
1120	Svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
520	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	520	explorer.exe
Token: SeRestorePrivilege	520	explorer.exe
Token: SeDebugPrivilege	520	explorer.exe
Token: SeDebugPrivilege	520	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
520	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
520	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 1696 wrote to memory of 940	1696	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	27
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15
PID 940 wrote to memory of 1368	940	84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
  "C:\Users\Admin\AppData\Local\Temp\84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe
    "C:\Users\Admin\AppData\Local\Temp\84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Loads dropped DLL
      Drops desktop.ini file(s)
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:520
    - - C:\Windows\SysWOW64\WinDir\Svchost.exe
        
        "C:\Windows\system32\WinDir\Svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:972
      - C:\Windows\SysWOW64\WinDir\Svchost.exe
        
        "C:\Windows\SysWOW64\WinDir\Svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
d7b892b0dfe5a5647eef2bb3e92fa352

SHA1
9e8d510ac126f7595a9a6b4090ccb4ea908288b6

SHA256
9075f56ef940de3666bd2d602affe61944b22c778804308dc89cd87dac32d512

SHA512
035a72f29a18b316d5f837e5a81957b09ff60977cadd6327766d1d25ca8fca8819dd426b308963de076d704c3ce663afdb21a42526fede4665a86e471af8dce4

Download Submit
C:\Windows\SysWOW64\WinDir\Svchost.exe

Filesize
440KB

MD5
31dd3a5285d12a359039ddd7e3f3bab1

SHA1
e4340ea43c59b9ef9d537faddbd7ab0910b3f4ed

SHA256
84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e

SHA512
058a85156b11da947e7ad86f44260cbfe51e88c445ad6f155952a5fce7e1cd201cf17e99cdefb373861b7d71d48c768df11e59d5cde2d6448babbeec283cf77b

Download Submit
C:\Windows\SysWOW64\WinDir\Svchost.exe

Filesize
440KB

MD5
31dd3a5285d12a359039ddd7e3f3bab1

SHA1
e4340ea43c59b9ef9d537faddbd7ab0910b3f4ed

SHA256
84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e

SHA512
058a85156b11da947e7ad86f44260cbfe51e88c445ad6f155952a5fce7e1cd201cf17e99cdefb373861b7d71d48c768df11e59d5cde2d6448babbeec283cf77b

Download Submit
C:\Windows\SysWOW64\WinDir\Svchost.exe

Filesize
440KB

MD5
31dd3a5285d12a359039ddd7e3f3bab1

SHA1
e4340ea43c59b9ef9d537faddbd7ab0910b3f4ed

SHA256
84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e

SHA512
058a85156b11da947e7ad86f44260cbfe51e88c445ad6f155952a5fce7e1cd201cf17e99cdefb373861b7d71d48c768df11e59d5cde2d6448babbeec283cf77b

Download Submit
\Windows\SysWOW64\WinDir\Svchost.exe

Filesize
440KB

MD5
31dd3a5285d12a359039ddd7e3f3bab1

SHA1
e4340ea43c59b9ef9d537faddbd7ab0910b3f4ed

SHA256
84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e

SHA512
058a85156b11da947e7ad86f44260cbfe51e88c445ad6f155952a5fce7e1cd201cf17e99cdefb373861b7d71d48c768df11e59d5cde2d6448babbeec283cf77b

Download Submit
\Windows\SysWOW64\WinDir\Svchost.exe

Filesize
440KB

MD5
31dd3a5285d12a359039ddd7e3f3bab1

SHA1
e4340ea43c59b9ef9d537faddbd7ab0910b3f4ed

SHA256
84c8370b0e52006c9e132261b3064bca0bf186a23f3d08526929198577e85b8e

SHA512
058a85156b11da947e7ad86f44260cbfe51e88c445ad6f155952a5fce7e1cd201cf17e99cdefb373861b7d71d48c768df11e59d5cde2d6448babbeec283cf77b

Download Submit
memory/520-91-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/520-109-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/520-85-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/520-78-0x0000000075231000-0x0000000075233000-memory.dmp

Filesize
8KB

Download
memory/940-70-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/940-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-66-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/940-79-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/940-84-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-58-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-54-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/940-57-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1120-107-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1120-108-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1120-110-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1368-73-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download