cybergate | 84a36f5b64fcb4588dc62e6c8fab5f2779af637cbaf00c09ddeaed6d3f4f03b8

Analysis

max time kernel
164s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11f515ca99c472dba50a7a6666a08eda.exe
Size

345KB
MD5

11f515ca99c472dba50a7a6666a08eda
SHA1

2408b3fb6b29ca7f1919fbdd0f598202015c895b
SHA256

84a36f5b64fcb4588dc62e6c8fab5f2779af637cbaf00c09ddeaed6d3f4f03b8
SHA512

38723d38a274b61c3f14a1cf872c07addee2e4eea5c5b214cc4823133b5eab8d58667f64430ab8863e4c1d61d03234f79668491d0c85b29a6f84cafaa24b37cc
SSDEEP

6144:vyRbsR0Q6GiiiGn9G5iiin55Yiiodd5nxiP55in554fiiYindGin5n5aJWQfSYPo:aRu0Q6GiiiGn9G5iiin55Yiiodd5nxi9

Score

10^/10

cybergate hawkeye ireformedi keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

ireformedi

ireformedi.no-ip.biz:1604

Mutex

BQYX53HV370FL5

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	AppLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	AppLaunch.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F53VX0L-U7OT-840C-7Q0N-3046142Y3U2S}	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F53VX0L-U7OT-840C-7Q0N-3046142Y3U2S}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F53VX0L-U7OT-840C-7Q0N-3046142Y3U2S}	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F53VX0L-U7OT-840C-7Q0N-3046142Y3U2S}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	AppLaunch.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	11f515ca99c472dba50a7a6666a08eda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	nvscpaisvr.exe

Executes dropped EXE 3 IoCs

pid	Process
1988	explorer.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2896-25-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2896-27-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2896-28-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2896-29-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2896-33-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/388-69-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3264-196-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4420-198-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3264-255-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stereo Vision Control Panel API Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\nvscpaisvr.exe"	nvscpaisvr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	AppLaunch.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	AppLaunch.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	AppLaunch.exe
File created	C:\Windows\SysWOW64\install\server.exe	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 2896	1988	explorer.exe	104
PID 5104 set thread context of 388	5104	SearchFilerHost.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	explorer.exe
3700	nvscpaisvr.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe
3700	nvscpaisvr.exe
5104	SearchFilerHost.exe
5104	SearchFilerHost.exe
1988	explorer.exe
1988	explorer.exe
3700	nvscpaisvr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	11f515ca99c472dba50a7a6666a08eda.exe
Token: SeDebugPrivilege	1988	explorer.exe
Token: SeDebugPrivilege	3700	nvscpaisvr.exe
Token: SeDebugPrivilege	5104	SearchFilerHost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2896	AppLaunch.exe
388	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 1988	3136	11f515ca99c472dba50a7a6666a08eda.exe	103
PID 3136 wrote to memory of 1988	3136	11f515ca99c472dba50a7a6666a08eda.exe	103
PID 3136 wrote to memory of 1988	3136	11f515ca99c472dba50a7a6666a08eda.exe	103
PID 1988 wrote to memory of 2896	1988	explorer.exe	104
PID 1988 wrote to memory of 2896	1988	explorer.exe	104
PID 1988 wrote to memory of 2896	1988	explorer.exe	104
PID 1988 wrote to memory of 2896	1988	explorer.exe	104
PID 1988 wrote to memory of 2896	1988	explorer.exe	104
PID 1988 wrote to memory of 2896	1988	explorer.exe	104
PID 1988 wrote to memory of 2896	1988	explorer.exe	104
PID 1988 wrote to memory of 2896	1988	explorer.exe	104
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47
PID 2896 wrote to memory of 3488	2896	AppLaunch.exe	47

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\11f515ca99c472dba50a7a6666a08eda.exe
  "C:\Users\Admin\AppData\Local\Temp\11f515ca99c472dba50a7a6666a08eda.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4420
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\System\nvscpaisvr.exe
      "C:\Users\Admin\AppData\Local\Temp\System\nvscpaisvr.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\System\SearchFilerHost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\SearchFilerHost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        6⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
755c357261c95ec630f03c9cdc7e439c

SHA1
b58b5e6e6198b027b9cd432aba4d51658448cb1d

SHA256
b129330c6c2f71dec2d1974eef3411f79654a67aaa399cede5fe1fa4119ac484

SHA512
5f5878414b658e4e5583cd204055cd946c4c37f848422c33a3302288c08dd597813b76e5c6377fda733fc237f40445c8b9f8cd79ed94508a8637e2c3abf42b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
70B

MD5
066f37cc31c8a2cbef8969dac4ad7eea

SHA1
f13cdf143f278c64b2d6bff8aa439bb7fe273e6f

SHA256
d6b5373e0cf95892f981b0243c310d0efb43847f2182434c6fab1ed0c811f065

SHA512
cd428e07be1f0a080327c86a703360c4fe36189ae93c617704107418dc40a23c8630e6d4b8bedfe9b4f6982e8a6a54bc2710647734abe4eca3575f186bb61a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\SearchFilerHost.exe

Filesize
320KB

MD5
34e2b1054a32b8612c2fedfa36736020

SHA1
79368b5d266e464d9ed909f61cf427cb23b07e39

SHA256
005e4d6a9ab7ab2475dc176a62bf1ab0102287fd1953f82880c26695bbbc041b

SHA512
e13e2cae822064194931a2e64ad30c87269371fed6b37615d36b74a93564890efefc74e69729cc8904fe01e7f2e3ea8d086d052e48bca62c87ae832fb61944d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\nvscpaisvr.exe

Filesize
38KB

MD5
50e7ba3af86aa896670498219a2bb9f2

SHA1
c3eec7beaa09adc7141dcdac5c576382bea29e44

SHA256
e93fbcb8cca2099537203f4b1ac981988ea8f114b2f021935030d9b5d16d19e1

SHA512
08dfdd551c21fac4c7b1ec43cf2212240a391cbf983adc5cd18564ded245754849d0441d139b2fe8b56e3543a3137ffe38a40733487879061c56a3e90957ad2d

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
345KB

MD5
11f515ca99c472dba50a7a6666a08eda

SHA1
2408b3fb6b29ca7f1919fbdd0f598202015c895b

SHA256
84a36f5b64fcb4588dc62e6c8fab5f2779af637cbaf00c09ddeaed6d3f4f03b8

SHA512
38723d38a274b61c3f14a1cf872c07addee2e4eea5c5b214cc4823133b5eab8d58667f64430ab8863e4c1d61d03234f79668491d0c85b29a6f84cafaa24b37cc

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
memory/388-69-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1988-49-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download
memory/1988-15-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1988-16-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download
memory/1988-17-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1988-47-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/2896-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-28-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-29-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-33-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2896-27-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3136-24-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3136-0-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3136-5-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/3136-4-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3136-3-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3136-2-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/3136-1-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3264-255-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3264-196-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3700-46-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3700-94-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3700-97-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/3700-48-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/4420-51-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/4420-198-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4420-52-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/5104-57-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/5104-56-0x0000000001780000-0x0000000001790000-memory.dmp

Filesize
64KB

Download
memory/5104-55-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/5104-101-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/5104-103-0x0000000001780000-0x0000000001790000-memory.dmp

Filesize
64KB

Download