Analysis
-
max time kernel
150s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-06-2022 03:58
Static task
static1
Behavioral task
behavioral1
Sample
1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe
Resource
win10v2004-20220414-en
General
-
Target
1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe
-
Size
977KB
-
MD5
48929afcff653c2c0f2f34a5ac9128bc
-
SHA1
200062fa01991623b0f2867550cb7c565dad4502
-
SHA256
1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2
-
SHA512
c2041c99170978088d389c780e995a30c83c5ff768cf2c930320f0baa93ea2330844f2c54eb797694f11e4c35abd2879ccfa1952df8df32207abc1b58ed4e423
Malware Config
Extracted
cybergate
v1.07.5
Cyb3r
myhostname.no-ip.biz:100
I43O1VJK33FR56
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" Server.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Server.exe -
Executes dropped EXE 4 IoCs
Processes:
7za.exeServer.exeServer.exeSvchost.exepid process 1352 7za.exe 1140 Server.exe 2016 Server.exe 1964 Svchost.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
Server.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B4VOSD-V6C2-4W7O-AX5B-CT0IOECHGN11}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B4VOSD-V6C2-4W7O-AX5B-CT0IOECHGN11} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B4VOSD-V6C2-4W7O-AX5B-CT0IOECHGN11}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B4VOSD-V6C2-4W7O-AX5B-CT0IOECHGN11} Server.exe -
Processes:
resource yara_rule behavioral1/memory/1140-69-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/1140-78-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/1416-83-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/1416-86-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/1140-88-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral1/memory/1140-95-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/2016-100-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/2016-101-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/2016-107-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Loads dropped DLL 6 IoCs
Processes:
cmd.exe1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exeServer.exepid process 912 cmd.exe 912 cmd.exe 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe 2016 Server.exe 2016 Server.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Server.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" Server.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" Server.exe -
Drops file in System32 directory 4 IoCs
Processes:
Server.exeServer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe Server.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe Server.exe File opened for modification C:\Windows\SysWOW64\WinDir\ Server.exe File created C:\Windows\SysWOW64\WinDir\Svchost.exe Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Server.exepid process 1140 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 2016 Server.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exeServer.exedescription pid process Token: SeBackupPrivilege 1416 explorer.exe Token: SeRestorePrivilege 1416 explorer.exe Token: SeBackupPrivilege 2016 Server.exe Token: SeRestorePrivilege 2016 Server.exe Token: SeDebugPrivilege 2016 Server.exe Token: SeDebugPrivilege 2016 Server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Server.exepid process 1140 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.execmd.exeServer.exedescription pid process target process PID 1972 wrote to memory of 912 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe cmd.exe PID 1972 wrote to memory of 912 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe cmd.exe PID 1972 wrote to memory of 912 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe cmd.exe PID 1972 wrote to memory of 912 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe cmd.exe PID 912 wrote to memory of 1352 912 cmd.exe 7za.exe PID 912 wrote to memory of 1352 912 cmd.exe 7za.exe PID 912 wrote to memory of 1352 912 cmd.exe 7za.exe PID 912 wrote to memory of 1352 912 cmd.exe 7za.exe PID 1972 wrote to memory of 1140 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe Server.exe PID 1972 wrote to memory of 1140 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe Server.exe PID 1972 wrote to memory of 1140 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe Server.exe PID 1972 wrote to memory of 1140 1972 1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe Server.exe PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE PID 1140 wrote to memory of 1364 1140 Server.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe"C:\Users\Admin\AppData\Local\Temp\1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pSaltyDave""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\7za.exe"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pSaltyDave"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Server.exeC:\Users\Admin\AppData\Roaming\Server.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD54af5dd0550411628426b705c9fa50b4f
SHA17c9e4ddf1e7898f436d6a0e6c66b84f5b27e2172
SHA256916f2992d39bfcdb98b71d1366204c3e2e7a15be665c6e17bdc3372310dee4d8
SHA5123d655acd2c39dd77865a71e00f003712532cd1fb50992c64c44875e48d9e81bd9f0c39de173cb8f40f362c746f118856b0c025fc8fcd930bfdf2372d962f296d
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
C:\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\AppData\Roaming\Server.7zFilesize
248KB
MD53d9e49143ffe764c753204a64c5094ad
SHA15ffdf7c0b4977e2ebafef306d5b7fc4aa5fa70a2
SHA2565a626a58b4d4cd799f1b7327e9ebf7daef4ab025559ca739dd826884c5c62adb
SHA5128e8b9dd11a96a469f8db2e75cba2e71821a864ed6e2a874de2ed6bac40bb6e5d7d10cbdd3635162120931a070e894cbfe2c6e8275ed069f5270851cd5018b4f7
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
\Users\Admin\AppData\Roaming\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
\Users\Admin\AppData\Roaming\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
\Windows\SysWOW64\WinDir\Svchost.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
\Windows\SysWOW64\WinDir\Svchost.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
memory/912-55-0x0000000000000000-mapping.dmp
-
memory/1140-69-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/1140-95-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1140-65-0x0000000000000000-mapping.dmp
-
memory/1140-78-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1140-88-0x00000000104F0000-0x0000000010555000-memory.dmpFilesize
404KB
-
memory/1352-59-0x0000000000000000-mapping.dmp
-
memory/1364-72-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/1416-86-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1416-75-0x0000000000000000-mapping.dmp
-
memory/1416-77-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB
-
memory/1416-83-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1964-104-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/2016-92-0x0000000000000000-mapping.dmp
-
memory/2016-100-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2016-101-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2016-107-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB