Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 17:04

General

  • Target

    7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe

  • Size

    369KB

  • MD5

    7079223f4284eccaa190e7defa1153cc

  • SHA1

    0cc9ac32371e837b5006f4a5a39bd80178ca339a

  • SHA256

    17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14

  • SHA512

    b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d

  • SSDEEP

    6144:GStXQhoyq04rVmZ3k4cSbgzsdrVRRetrEpsKHAK3m+jDt+YTvLRUQSOObAIASglQ:yRyBUnZ4urEo2PmSKu44Fkm9U

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

1yop.no-ip.biz:100

Mutex

7R65OQ0XHTGJ73

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3416
      • C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4168
        • C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
              PID:916
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 76
                5⤵
                • Program crash
                PID:2792
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:5004
              • C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe
                "C:\Users\Admin\AppData\Local\Temp\7079223f4284eccaa190e7defa1153cc_JaffaCakes118.exe"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:3904
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1020
                  5⤵
                  • Program crash
                  PID:4912
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1028
                  5⤵
                  • Program crash
                  PID:4700
            • C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
              C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
              3⤵
              • Adds policy Run key to start application
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2452
              • C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
                C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3812
                • C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
                  C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
                  5⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  PID:1760
                  • C:\Windows\SysWOW64\explorer.exe
                    explorer.exe
                    6⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3264
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    6⤵
                      PID:820
                    • C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
                      "C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe"
                      6⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      PID:516
                      • C:\Windows\SysWOW64\WinDir\Svchost.exe
                        "C:\Windows\system32\WinDir\Svchost.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1244
                        • C:\Windows\SysWOW64\WinDir\Svchost.exe
                          C:\Windows\SysWOW64\WinDir\Svchost.exe
                          8⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:4936
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 596
                            9⤵
                            • Program crash
                            PID:3820
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 916 -ip 916
            1⤵
              PID:2004
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4936 -ip 4936
              1⤵
                PID:1336
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3904 -ip 3904
                1⤵
                  PID:3940
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3904 -ip 3904
                  1⤵
                    PID:4268

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Persistence

                  Boot or Logon Autostart Execution

                  3
                  T1547

                  Registry Run Keys / Startup Folder

                  2
                  T1547.001

                  Active Setup

                  1
                  T1547.014

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  3
                  T1547

                  Registry Run Keys / Startup Folder

                  2
                  T1547.001

                  Active Setup

                  1
                  T1547.014

                  Defense Evasion

                  Modify Registry

                  3
                  T1112

                  Discovery

                  Query Registry

                  1
                  T1012

                  System Information Discovery

                  2
                  T1082

                  System Location Discovery

                  1
                  T1614

                  System Language Discovery

                  1
                  T1614.001

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
                    Filesize

                    224KB

                    MD5

                    919ba70cec60edcb60768e19cd141dd3

                    SHA1

                    a85d036a5870e1e93452e1fbf2038bef742aa5b1

                    SHA256

                    0fef70d7ec92abd277f6c0e8edcf4763148e99510027f19588cb524181eba236

                    SHA512

                    24ee99a918afbed8dd23074d8fc4261f7c91cf1eea14088dd841732cdc57e8cb903a370e98c728d4869dbd3bd831f8987f309bad2eb34c3493ee3a0018435b24

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    2c360695886afe7208b71059b1e49ba7

                    SHA1

                    26288135beef8b92e87e1da338a395273c421096

                    SHA256

                    598df483c2c8fe22e93c53ddfd1d39b2b06e128b0a7954bba8099791b78e5454

                    SHA512

                    e2a4c8dff6bef4c3b6fc641371400830268ddd6118b04f25b29161be715dd974bc3d13c6b4034ed88852221584f993635168ce477914c21a8af7767c387519e2

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    cc941502c8372c30ee1f58ffc8f78799

                    SHA1

                    b50d8cf4e18ef1f32dee8baaedcd11191bc87a31

                    SHA256

                    83398c7cdbe4d971934d8ee59b0e2db62de0b250b3ffc955592cd11234c42efc

                    SHA512

                    1c2279f37f8df63c5b79f8234008d743ed28e834eaccfabc72942f17333c8508de544eddcecb04f8f61eb59361ceec14cbc0b040a14dd2af57a18dc5ea257ef2

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    701f2d42263c30b6a1414bdd49d788c7

                    SHA1

                    f9e6e49500bf43dbeb5e1931a4cc3319db8c64c1

                    SHA256

                    570731d766778063081d6e7b6b0591a4504a2a32e186616f475ad08ce18a74bb

                    SHA512

                    7e377451cd77922ba4ef163464fb6609b750c12f7284315935c00bd214a0b4d0b54413254b5000a91e03002cf736348be3554923bae3fb1bac75344ee03905d8

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    09102a032025408f6b4012808c287bf6

                    SHA1

                    c91ac053b22fbefc448c611f20c4fdcb4b1b8729

                    SHA256

                    039fde84c67d69fee84e46bd379429cdbe746115fd583a40439060ecc38f328f

                    SHA512

                    06a7feba922b73a3327fbc7ffb2ad7b9546d326eefafaa99680ec5feca01fcd1c7a051e43307464d918ba66e7df3d97e47411dcb601727a366e7670a53d31021

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    83cf676b847fd9925e632dde99d9bdb3

                    SHA1

                    01e38037843f6f07cb8035a2e11753518f259f5b

                    SHA256

                    d469e67e5cb4f28f000ae237fffd99667854cea45fbcf9d3df17a7b6dc2315ee

                    SHA512

                    c12da63bb85d8a6954337f5aff36b18bfe9a067d0509982a2b2529abc4a3413f9fd93f6801f672ca305e43cca823b0d330b26080242498cdea3ce57f043381f1

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    35e287edecf363c94a4151d07ed58588

                    SHA1

                    b6d7867c7b305f1443a847ebe11b762ece65b2a1

                    SHA256

                    e951521cfb4a3eb8ef4cbaa3a6f881f17e4556edb315c747c1dc9a7a6cdc16c4

                    SHA512

                    3a7dbbe86918fdf765f5cf3a804f5935655269799b7320d347b82d0771529cad2f1f153613fefdab6595186cfa85ce6da0595f91b4e7838778fbb2f2d87f70ee

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    48a17c2d18c5eb847e0219c4b4dca20d

                    SHA1

                    66a5fe81ef145de42b765d14b7eb081cb007221d

                    SHA256

                    ec94a418ca61d810505609d1f69c3c8e34e68a7ff4aca49c4923fc56a2242791

                    SHA512

                    06d9294c4ce2e3503bd387074302a4a5d12cda2a046d728fbd48a9b7cbdbfa5cf77c3cea90c0570079b44452c4d64971ed80ad69830df7585e2c12dc571e3054

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    cb173be46e060e86490aab9a33eeee7e

                    SHA1

                    db96cdbf9469bcdd26a42290c5e611e67d181e9a

                    SHA256

                    bc1ad32f6b7120349aeade9f3be4b0ff78a39f113c2859cb93b02f18c517704d

                    SHA512

                    38e1ea476184e553ba4ea8a44776fc49d4486d0322e4164fd678965cd94dc0a1fb135f8ad26768511c40031b053b22d90b02855478d3f202961297cae15121fe

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    75f91e87a61df435d5f196a629528b5a

                    SHA1

                    240abfd7974a65887d0378fbd354267d721dbdba

                    SHA256

                    5ce2c6b00c262ac80246dc0bd122a4c4a3f63148dbdea79e4d52fd1e665cb7e4

                    SHA512

                    2bfcbdaf8bc5451acf62af2bd09091798458451f01e169685810d10d696a4f5ba085f111c7edba1614cdbe69d71120743672a5a9afb25f8edc44727a21715377

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    acd70db2b704ca2ce243400f7b0b82d4

                    SHA1

                    e529f3d1abd96c9a010da0f18571807ff1ac9e68

                    SHA256

                    273a95e113c9342db080e3daf32594b2886683dc074737f00b32284857ec116e

                    SHA512

                    bfbbbbe9271162adfbd2e4ee8b149af25c7a9e76fe3dad67ffcd1fedbfe636533d08875b9ac25adda167e04d0d5347a9c0d99421dcef9c2b82fe9a6392a21b96

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    948734250cec8fcdda6c67d29c526a91

                    SHA1

                    58ffbe6276285a6f3da38b2ccf47f0f744d3ba8c

                    SHA256

                    c334eb37f5452f68e0e3e640cfeeec57fccfbeedad6b89791e5abcd8af8f267c

                    SHA512

                    16b3d8abaeb064d4f799c510830599bc79c12c81844a22fdc517609c842e758bdfa8dc0b7bd079a6d12b2cad7f090a822657910e1ea75fbccb3b437e16176921

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    eb699d886dedf0d9a1f264a78c0b2c89

                    SHA1

                    14ca9b1ec8ce78d02c492b9a6232473005b29d44

                    SHA256

                    7960924647e7d782838374217f1d440f791ce2348446139ae2ad427f7b847221

                    SHA512

                    4d64df2685939afe1fa5ecb8441427f20552bad548f195e5140068e40a1d3054427878efd681ec4a4f898a354fbfd8de0079c813a4f7f1844a455455fcac05f8

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    149582553a499982e1085aa992a11524

                    SHA1

                    4dc6a032f1287890635d7585c092fe85c4d47447

                    SHA256

                    1aeebe658a2d36768a2594f07c6442c777bf998ad832fba7014dc8af1aac4f18

                    SHA512

                    03caaf3f9eebce0e28a357aebad6dd22cd585b9298ccddcf5e9bdf521e8d99165c03bee4d90c99c87d3279cc835fcb8fcaaa7ae33873df42f7a0c0979f634181

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    955be95c10959f058b952f1a0f883d6f

                    SHA1

                    11b0da6776845fab3614dba061c7840ef01a5e9a

                    SHA256

                    6e61d11fa333f4400888734cd4ae9ef9100696b7e93c94fca2942017b3bd9526

                    SHA512

                    d6bbef4a85c67a01d47982a56c81c08fcf2acbeff2bf26ee4d2f140a2f329b407addeb78874d21bac4fe9fbace4fefbb21e53463902fee4a50c6514312846f5e

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    861f083ae441475137ec11cca696b5de

                    SHA1

                    ae7af2b788a3443e9d922117e894e3b40c7424f2

                    SHA256

                    9010fdc44c7b535bc67d2cb035a99fa2f66bd97c715f188ba45ba07609a0ddba

                    SHA512

                    a11588ae7bacc0b381e4c2950f81fd845600d704b0a7d0a245a6ee9da07d2d077385e0e9dc35e4508a7e2d8630106cb610aeac269163e9d5aa081c1bd7c9a8af

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    09d10ddfcf25d00a39fa26b4a5708b37

                    SHA1

                    a0ac63c26a8e5927c0e5a6a67a94b063776057da

                    SHA256

                    36bc62e827d9f97aed54c6af7c32d23e52fc30a8c889e4200ea9b9bb44087799

                    SHA512

                    2ffe1a253b273c0ba1fbe16bdeb0c070150e259f65bef02157a305f5ac8cb4e3a001f0c89b3066677b035716e67f469e035aa2c0b716ec1cb3e7ca92d7c68bea

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    3de31b4c801e3d1c6b4b1f1030ed4c8b

                    SHA1

                    1ba01b05c05921a46db6cb2372d4df4faedd334c

                    SHA256

                    db691e41ecea70c059d98416f50c088de674862a624465b059d660ba1fd6cc46

                    SHA512

                    839c64c874945b2333adc3b13cde2273316f2839538ba7565f5040a95056d90952b13a4cb5310be0fdfca79f71a7ac8a360d133519ba2050319e8f915295c784

                  • C:\Users\Admin\AppData\Local\Temp\Admin7
                    Filesize

                    8B

                    MD5

                    f2ea15b40d734fbdfd2d11dab89a71ad

                    SHA1

                    ed7d202326ed2b0464646d5764b372432ddcaff6

                    SHA256

                    bdd059bf6263e7d299ccdba6b3acd3de648a6375f6bb4c4a36d93ec888441cbd

                    SHA512

                    97c4b32808329cb72f8311248ac8a1e175954c15c1bc037fb49024845b0887d387b42ee37fe9906d451fa082f0baa3cd06de51b9d419809a40912deea6559add

                  • C:\Users\Admin\AppData\Local\Temp\System\WmiPrwSE.exe
                    Filesize

                    369KB

                    MD5

                    7079223f4284eccaa190e7defa1153cc

                    SHA1

                    0cc9ac32371e837b5006f4a5a39bd80178ca339a

                    SHA256

                    17977cf4549f13807702f1298b9111455e7df56f948f4d53ea1ebe6441e54a14

                    SHA512

                    b840209bde31000983c691dc4eb74b2eef7395fdf062b7a9726b8b276264777e434b52ead2cdc9e837574fd9a20ba174df8b04afa9ed4ca731ab2b927991557d

                  • C:\Users\Admin\AppData\Local\Temp\System\audidgi.exe
                    Filesize

                    8KB

                    MD5

                    514efe550078fbedb88e23774742e295

                    SHA1

                    971bcc5648e1a70ef6a9a7c909663d2e01a31473

                    SHA256

                    673528eae87d1f48f9a8238de868e8f44aa92575744259a7a3e8b5ac34ca9ca2

                    SHA512

                    b952bd54f348b7d39b1a2f2a322068d31a4837988aceb09821bd6f54216f79f356868497b44f17e060e3fc6c5b130caaf247a64dc0bb49569ba4b8472cf34451

                  • C:\Users\Admin\AppData\Roaming\Adminlog.dat
                    Filesize

                    15B

                    MD5

                    bf3dba41023802cf6d3f8c5fd683a0c7

                    SHA1

                    466530987a347b68ef28faad238d7b50db8656a5

                    SHA256

                    4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

                    SHA512

                    fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

                  • memory/916-30-0x0000000000D40000-0x0000000000D41000-memory.dmp
                    Filesize

                    4KB

                  • memory/916-31-0x0000000001000000-0x0000000001001000-memory.dmp
                    Filesize

                    4KB

                  • memory/1760-36-0x0000000010480000-0x00000000104E5000-memory.dmp
                    Filesize

                    404KB

                  • memory/1760-40-0x0000000010410000-0x0000000010475000-memory.dmp
                    Filesize

                    404KB

                  • memory/2452-1160-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB

                  • memory/2452-928-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB

                  • memory/2452-21-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB

                  • memory/2452-16-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB

                  • memory/2980-8-0x0000000000400000-0x0000000000451000-memory.dmp
                    Filesize

                    324KB

                  • memory/2980-10-0x0000000000400000-0x0000000000451000-memory.dmp
                    Filesize

                    324KB

                  • memory/2980-26-0x0000000010410000-0x0000000010475000-memory.dmp
                    Filesize

                    404KB

                  • memory/2980-7-0x0000000000400000-0x0000000000451000-memory.dmp
                    Filesize

                    324KB

                  • memory/3812-1402-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB

                  • memory/3812-1161-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB

                  • memory/3812-22-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB

                  • memory/4168-927-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB

                  • memory/4168-695-0x0000000074FF2000-0x0000000074FF3000-memory.dmp
                    Filesize

                    4KB

                  • memory/4168-2-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB

                  • memory/4168-0-0x0000000074FF2000-0x0000000074FF3000-memory.dmp
                    Filesize

                    4KB

                  • memory/4168-1-0x0000000074FF0000-0x00000000755A1000-memory.dmp
                    Filesize

                    5.7MB