Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 21:06
Static task
static1
Behavioral task
behavioral1
Sample
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe
Resource
win7-20220812-en
General
-
Target
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe
-
Size
324KB
-
MD5
6ebcda1124f4284d9cd414d4fb4927f1
-
SHA1
959e0a44e22b8654d16f93894ed04674fe57990a
-
SHA256
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132
-
SHA512
615612b60ae19d60b5fcd93da39590d99665785d4640968e33a2b0a299c4a77acf70121ebd8514f802ab3feeb69c28da3cea5a84e46679030b415b7ca75ae3bb
-
SSDEEP
6144:tN76eXCbOUG46slvcmX32XWhUkOJzYYGBnbvqgMjWPQkU7yowEq:X76WFkl0mnwWhUhZzgbqWVjV
Malware Config
Extracted
cybergate
v3.4.2.2
remote
185.17.1.192 :8600
LQ6721MAO24524
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
prince
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4GA2MC2X-5607-H1U1-T23W-4CH456J7740P} a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4GA2MC2X-5607-H1U1-T23W-4CH456J7740P}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4GA2MC2X-5607-H1U1-T23W-4CH456J7740P} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4GA2MC2X-5607-H1U1-T23W-4CH456J7740P}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe" explorer.exe -
Processes:
resource yara_rule behavioral1/memory/948-77-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral1/memory/948-86-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral1/memory/628-91-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral1/memory/628-94-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral1/memory/948-96-0x00000000104F0000-0x0000000010560000-memory.dmp upx behavioral1/memory/948-103-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral1/memory/1748-108-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral1/memory/1748-109-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral1/memory/1748-111-0x0000000010560000-0x00000000105D0000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exepid process 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
reg.exea8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\i2zZfw9vej = "C:\\Users\\Admin\\AppData\\Roaming\\IjplzCUk\\UQMF1Xp.exe.lnk" reg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe" a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe" a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exedescription pid process target process PID 1668 set thread context of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exea8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exepid process 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Token: SeDebugPrivilege 1748 explorer.exe Token: SeDebugPrivilege 1748 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exepid process 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.execmd.exea8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exedescription pid process target process PID 1668 wrote to memory of 1324 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe cmd.exe PID 1668 wrote to memory of 1324 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe cmd.exe PID 1668 wrote to memory of 1324 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe cmd.exe PID 1668 wrote to memory of 1324 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe cmd.exe PID 1324 wrote to memory of 992 1324 cmd.exe reg.exe PID 1324 wrote to memory of 992 1324 cmd.exe reg.exe PID 1324 wrote to memory of 992 1324 cmd.exe reg.exe PID 1324 wrote to memory of 992 1324 cmd.exe reg.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 1668 wrote to memory of 948 1668 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE PID 948 wrote to memory of 1268 948 a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe"C:\Users\Admin\AppData\Local\Temp\a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "i2zZfw9vej" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IjplzCUk\UQMF1Xp.exe.lnk"3⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "i2zZfw9vej" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IjplzCUk\UQMF1Xp.exe.lnk"4⤵
- Adds Run key to start application
PID:992 -
C:\Users\Admin\AppData\Local\Temp\a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe"C:\Users\Admin\AppData\Local\Temp\a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:628 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2012
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
234KB
MD538c31fc86875e4754c974c26cfaa10ff
SHA1dfd57bd63b30e4d5b9bebbdfe4325931dbb49f40
SHA256fd455fc49d26b2b649645b9b4c8b2d343b8ee527ce728cbab2b49dcfe7f0381a
SHA512a7cf491f6149381d7f0575710d365bebc0ad34c81435614805a9ca30b931c2652dfaaf7c7a91a7f524cb203a9e95dc15deebaccbcafaef9cb4430073fd02c59f
-
\??\c:\directory\CyberGate\install\server.exeFilesize
324KB
MD56ebcda1124f4284d9cd414d4fb4927f1
SHA1959e0a44e22b8654d16f93894ed04674fe57990a
SHA256a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132
SHA512615612b60ae19d60b5fcd93da39590d99665785d4640968e33a2b0a299c4a77acf70121ebd8514f802ab3feeb69c28da3cea5a84e46679030b415b7ca75ae3bb
-
\Users\Admin\AppData\Roaming\IjplzCUk\UQMF1Xp.exeFilesize
324KB
MD56ebcda1124f4284d9cd414d4fb4927f1
SHA1959e0a44e22b8654d16f93894ed04674fe57990a
SHA256a8690f8ff169524ebc0581a202b9e78d094304c87853d8e9abe2b82328083132
SHA512615612b60ae19d60b5fcd93da39590d99665785d4640968e33a2b0a299c4a77acf70121ebd8514f802ab3feeb69c28da3cea5a84e46679030b415b7ca75ae3bb
-
memory/628-83-0x0000000000000000-mapping.dmp
-
memory/628-94-0x0000000010480000-0x00000000104F0000-memory.dmpFilesize
448KB
-
memory/628-91-0x0000000010480000-0x00000000104F0000-memory.dmpFilesize
448KB
-
memory/628-85-0x0000000074771000-0x0000000074773000-memory.dmpFilesize
8KB
-
memory/948-63-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-73-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-64-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-65-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-66-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-67-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-69-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-70-0x0000000000409860-mapping.dmp
-
memory/948-71-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-96-0x00000000104F0000-0x0000000010560000-memory.dmpFilesize
448KB
-
memory/948-110-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-75-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-77-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/948-103-0x0000000010560000-0x00000000105D0000-memory.dmpFilesize
448KB
-
memory/948-61-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-60-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/948-86-0x0000000010480000-0x00000000104F0000-memory.dmpFilesize
448KB
-
memory/992-59-0x0000000000000000-mapping.dmp
-
memory/1268-80-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/1324-58-0x0000000000000000-mapping.dmp
-
memory/1668-56-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/1668-55-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/1668-74-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/1748-100-0x0000000000000000-mapping.dmp
-
memory/1748-108-0x0000000010560000-0x00000000105D0000-memory.dmpFilesize
448KB
-
memory/1748-109-0x0000000010560000-0x00000000105D0000-memory.dmpFilesize
448KB
-
memory/1748-111-0x0000000010560000-0x00000000105D0000-memory.dmpFilesize
448KB