cybergate | 9273df8a305a344bb9555d8805ac6e68a11ecaa5d60bca71b3df3722d10b8fe8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
Size

175KB
MD5

ad50aa2fc8e9b3c948f55c0824a9b60d
SHA1

0dcef011d6db3bdd70fff964322860032153e497
SHA256

9273df8a305a344bb9555d8805ac6e68a11ecaa5d60bca71b3df3722d10b8fe8
SHA512

cab464743d6aaacfbd998c7b0f04e74c9b9d0dd6970075f826070d569161210d0afed91f573b85a4487f38de53b5cab59aba691d84b5fdab89aa11fe8ceada3c
SSDEEP

3072:TltXqnL2OJIA1B63w5hTkcS3MSBYZ4Myh9vdneiVZS6oSLQ8bN91bnK:Tr22OJIirrS3zYZ4HvdnZoSLQUxrK

Score

10^/10

cybergate victim discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.2.2

Botnet

Victim

i1q8y-hard.no-ip.biz:85

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
config
install_file
explore.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
?? ??????? ?????? ?????? ???????
message_box_title
??? ?????
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Explorer = "C:\\Windows\\system32\\config\\explore.exe"	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Explorer = "C:\\Windows\\system32\\config\\explore.exe"	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\config\\explore.exe Restart"	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\config\\explore.exe"	explorer.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2908-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/2908-4-0x0000000024010000-0x000000002404D000-memory.dmp	upx
behavioral2/memory/2908-7-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral2/memory/2908-27-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000e0000000233fa-60.dat	upx
behavioral2/memory/3644-57-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral2/memory/3644-58-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral2/memory/2908-53-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral2/memory/2908-3-0x0000000024010000-0x000000002404D000-memory.dmp	upx
behavioral2/memory/2908-62-0x00000000022C0000-0x00000000022FD000-memory.dmp	upx
behavioral2/memory/2908-65-0x0000000024090000-0x00000000240CD000-memory.dmp	upx
behavioral2/memory/2908-116-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3644-143-0x0000000024050000-0x000000002408D000-memory.dmp	upx
behavioral2/memory/3016-145-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\config\\explore.exe"	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\config\\explore.exe"	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\explore.exe	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\explore.exe	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\explore.exe	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
Token: SeDebugPrivilege	3016	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56
PID 2908 wrote to memory of 3492	2908	ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:3644
- - C:\Users\Admin\AppData\Local\Temp\ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ad50aa2fc8e9b3c948f55c0824a9b60d_JaffaCakes118.exe"
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
b6d60e61943c5e23ebf58f473346d379

SHA1
82b0814114623ebf3e09927a75273de8d1e4b352

SHA256
78091b5e05d3a0f8dc16474b34e714c111f9e11c485b20258187a31c28c0ff25

SHA512
f5ca794774edb2d83a41283b6708e00ba85906e1ddd7751413222d572c10347c9df585725e716d07822a46e893701a47128de2bd28725e5826a0c2fcaa18cd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
140KB

MD5
62a52bd19501905931be2e81f3a3b48f

SHA1
7265b0ea7547bd91799c2ef20b6dc542272b97e1

SHA256
68188595c2579fd00c29592ace059e00e5ccdb50a9849db88f4212ff22a069f1

SHA512
5fe9af9aade41be1a1a24c3813b918b0482164d1e16b39520408a3f356056a7e5880a48920ac731197600e01f620486bdc396390ff3eb525081ed318f2e73658

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
86f3c87caff4d7973404ff22c664505b

SHA1
245bc19c345bc8e73645cd35f5af640bc489da19

SHA256
e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

SHA512
0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

Download Submit
C:\Windows\SysWOW64\config\explore.exe

Filesize
175KB

MD5
ad50aa2fc8e9b3c948f55c0824a9b60d

SHA1
0dcef011d6db3bdd70fff964322860032153e497

SHA256
9273df8a305a344bb9555d8805ac6e68a11ecaa5d60bca71b3df3722d10b8fe8

SHA512
cab464743d6aaacfbd998c7b0f04e74c9b9d0dd6970075f826070d569161210d0afed91f573b85a4487f38de53b5cab59aba691d84b5fdab89aa11fe8ceada3c

Download Submit
memory/2908-116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-65-0x0000000024090000-0x00000000240CD000-memory.dmp

Filesize
244KB

Download
memory/2908-4-0x0000000024010000-0x000000002404D000-memory.dmp

Filesize
244KB

Download
memory/2908-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-53-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download
memory/2908-7-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download
memory/2908-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-3-0x0000000024010000-0x000000002404D000-memory.dmp

Filesize
244KB

Download
memory/2908-62-0x00000000022C0000-0x00000000022FD000-memory.dmp

Filesize
244KB

Download
memory/3016-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3644-56-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/3644-8-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3644-9-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/3644-58-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download
memory/3644-143-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download
memory/3644-57-0x0000000024050000-0x000000002408D000-memory.dmp

Filesize
244KB

Download