cybergate | e261b60c2939239a2b7365026bd41a5ca9a380b16830e69e9da14b611f214009

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Size

329KB
MD5

bbcf778115c3bc52ccf78be5afdc36a4
SHA1

afc259a86f0ec3a20ebc77fc3ded45097fc98a3b
SHA256

e261b60c2939239a2b7365026bd41a5ca9a380b16830e69e9da14b611f214009
SHA512

57348b0820303d10fdb045ecd29f46ae136d5bf70d789d7f8fe634447bef351fa9d485941b29023147582330d5bdf3dd305e34bf143919f88ef954e9db161c02
SSDEEP

6144:lVuhljEB/TZvZ9xkiH1fN/OUVNkEsJtb3p2SObkdz5Slb0iavszTaXSsjT:HIpI7ZhbH1f1Ouybb3p2SObe1yb0i7TS

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

reylocoip.no-ip.org:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windows Live
install_file
Messenger.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\Windows Live\\Messenger.exe"	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\Windows Live\\Messenger.exe"	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DXW8777-Y48T-8Q6G-31L1-P617JU47IU17}	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DXW8777-Y48T-8Q6G-31L1-P617JU47IU17}\StubPath = "c:\\dir\\install\\Windows Live\\Messenger.exe Restart"	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DXW8777-Y48T-8Q6G-31L1-P617JU47IU17}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DXW8777-Y48T-8Q6G-31L1-P617JU47IU17}\StubPath = "c:\\dir\\install\\Windows Live\\Messenger.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
5060	Messenger.exe
1048	Messenger.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\Windows Live\\Messenger.exe"	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\Windows Live\\Messenger.exe"	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3528 set thread context of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 5060 set thread context of 1048	5060	Messenger.exe	87

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3948-17-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3948-18-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2228	1048	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Messenger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Token: SeDebugPrivilege	2824	explorer.exe
Token: SeDebugPrivilege	2824	explorer.exe
Token: SeDebugPrivilege	5060	Messenger.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3528 wrote to memory of 3948	3528	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	83
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56
PID 3948 wrote to memory of 3520	3948	bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2296
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2824
    - - C:\dir\install\Windows Live\Messenger.exe
        
        "C:\dir\install\Windows Live\Messenger.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
      - C:\dir\install\Windows Live\Messenger.exe
        
        6⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 532
        7⤵
        Program crash
        
        PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1048 -ip 1048
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
f7a1c5cf3d4c58051cb9b451b812fe3b

SHA1
8002ae28fb6bc2e7767e02b76422df5312d14378

SHA256
b4f4bbcb4ae642102d970a448799a7100383c82dc9f1354d6a39a572dd233a27

SHA512
efbb7a33f86537e3adae71beb2259598538e2586011a90d302377171cd760d1ff71e269a80c39b27866d23392170000e5c06b3ced39cf0c210f443ed6c5c1a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6f064ccd018989a0d2b4f44e566edd40

SHA1
91560ff34bb704b833591e1de856b1af55a701e7

SHA256
63bbd240967016116d0c849575a0f8d5d60caf27cc8b8232b308c41edb7bb572

SHA512
861b9d9f2d6046fc426e8e5974f675a3f37b3bbb753346de440e152e8a3a098b85b4d63c7fd8e28ae9eca51cf917c33284fa72cc9ff7e65b2d00857027ede552

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f2b31ee869d96860e8bd422cf4a16f73

SHA1
c1de099c8b9b4edbe1d8d9c885ef63b5fcc51ec2

SHA256
6a8b17b9f784cd98803cf437233d42c5359de86c8199aedb42d85d75f60da5dd

SHA512
50ae335900e383d00c68f2371a4086afa57f69aa4ac617140873afdacebc2000e5475ae5ed6f35229f69657ef6dbb3af33a89600bb8e842f925d76d4437b12d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bec5f45ef390c7f107bd82cec18a17d1

SHA1
3a1cdc7d24ea4f41e72253e43588376a913427d3

SHA256
dc728f5b22d9668fd33817d1490d19daae76482e1ff2a6b3f6cf676f17d9263c

SHA512
a40d0294202e6ce197688b7209aa3230bd3988943af0841e951be0f61c47bb4c9c8943bb4630d6205cd03e232ec7c01d7d8fe3ac5719fa89438e0f06004771cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fd83b5f1041c0659ebea8224ac736364

SHA1
1490dd0cacfb6cd61c0b73f9ab80f75209d80d15

SHA256
783f7aa8f34b242415cc75bf74eb91697e24314e0b415810ff470cb976f1cc95

SHA512
1003a9664c934db418bfd4e3c7c566c7e1029becb921532202c469c65b6ce59fdc2a558a2c17dd5beb541e34e210946c2550f6076b4f8f421802cdc68b67f10c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\dir\install\Windows Live\Messenger.exe

Filesize
329KB

MD5
bbcf778115c3bc52ccf78be5afdc36a4

SHA1
afc259a86f0ec3a20ebc77fc3ded45097fc98a3b

SHA256
e261b60c2939239a2b7365026bd41a5ca9a380b16830e69e9da14b611f214009

SHA512
57348b0820303d10fdb045ecd29f46ae136d5bf70d789d7f8fe634447bef351fa9d485941b29023147582330d5bdf3dd305e34bf143919f88ef954e9db161c02

Download Submit
memory/2296-23-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/2296-83-0x0000000075190000-0x0000000075798000-memory.dmp

Filesize
6.0MB

Download
memory/2296-89-0x0000000075190000-0x0000000075798000-memory.dmp

Filesize
6.0MB

Download
memory/2296-88-0x0000000075190000-0x0000000075798000-memory.dmp

Filesize
6.0MB

Download
memory/2296-84-0x0000000075190000-0x0000000075798000-memory.dmp

Filesize
6.0MB

Download
memory/2296-85-0x0000000075190000-0x0000000075798000-memory.dmp

Filesize
6.0MB

Download
memory/2296-22-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2824-153-0x0000000075190000-0x0000000075798000-memory.dmp

Filesize
6.0MB

Download
memory/2824-151-0x0000000075190000-0x0000000075798000-memory.dmp

Filesize
6.0MB

Download
memory/2824-189-0x0000000075190000-0x0000000075798000-memory.dmp

Filesize
6.0MB

Download
memory/2824-167-0x0000000075190000-0x0000000075798000-memory.dmp

Filesize
6.0MB

Download
memory/3528-1-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/3528-2-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/3528-14-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/3528-0-0x00000000751F2000-0x00000000751F3000-memory.dmp

Filesize
4KB

Download
memory/3948-3-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3948-13-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3948-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3948-4-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3948-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3948-10-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3948-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3948-17-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3948-18-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download