Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 09:17
Static task
static1
Behavioral task
behavioral1
Sample
66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe
-
Size
288KB
-
MD5
66faf8e2375b44fd77895c5f0fad3873
-
SHA1
42fc8b321ef7df3722ac23aa46c63a2132670ad7
-
SHA256
b685bdd04753aa7ae2596497896c6d3bfd0314e81f6d03ab1fa189af0acd2397
-
SHA512
8d2bc46b56d995628e1e6036574686d0a90064698f38dde4600537e59d29d518c734463c73ca1af2b10806839c0c206933ef0b308bdc1d65ac7640d35685f629
-
SSDEEP
6144:S+s2FguwbkEvZ9+ZiKE4ZnNfqe42bzDtLFMI1fA4WMdE:e2gWEsnNe2bzL1pm
Malware Config
Extracted
cybergate
v1.07.5
Cyber
sequence.no-ip.biz:100
T67OKP4PD7XRO1
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
winlogin
-
install_file
winlogin.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
tommerup
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YI5QIC5E-57CN-6MK0-MW02-YCTX4G8YO675} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YI5QIC5E-57CN-6MK0-MW02-YCTX4G8YO675}\StubPath = "C:\\Windows\\system32\\winlogin\\winlogin.exe Restart" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 804 winlogin.exe -
Processes:
resource yara_rule behavioral2/memory/3616-12-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/3616-13-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/3616-16-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\ProgramData\\Sys32c.exe" 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winlogin\\winlogin.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winlogin\\winlogin.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File created C:\Windows\SysWOW64\winlogin\winlogin.exe vbc.exe File opened for modification C:\Windows\SysWOW64\winlogin\winlogin.exe vbc.exe File opened for modification C:\Windows\SysWOW64\winlogin\winlogin.exe vbc.exe File opened for modification C:\Windows\SysWOW64\winlogin\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exedescription pid process target process PID 2028 set thread context of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 3616 vbc.exe 3616 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 564 vbc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exedescription pid process Token: SeBackupPrivilege 564 vbc.exe Token: SeRestorePrivilege 564 vbc.exe Token: SeDebugPrivilege 564 vbc.exe Token: SeDebugPrivilege 564 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exevbc.exedescription pid process target process PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 3616 2028 66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe vbc.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe PID 3616 wrote to memory of 724 3616 vbc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\66faf8e2375b44fd77895c5f0fad3873_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\winlogin\winlogin.exe"C:\Windows\system32\winlogin\winlogin.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5efc16116272c74d95b1fa54f2e7b4516
SHA19f783f505bca4adfbe9d4fde95535a0b3e1cf107
SHA256212c1c6962bfe12d6c3271cfdb213d92663a3dd009675b29cf752799481b6aa1
SHA5127a063bc5d2185621bfb75ca5bc7be2bcc2b48d8ba44047c05994ae79c95804184ea4f9fb017027a0c455085a22901db57c8c33f0114de8f8ffca797ba5828928
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD506678dbabcb61e40b99b00a1d82a5ae3
SHA1643ab20a9258d9eff5c11e78d887679a8ec4f85a
SHA256dee9054636e5f50a995e91ae04cbf9f9f655e60ca85f3e5b42757c1b69da4495
SHA512e54a9d8a5f5d743627cbdfb2938fd6a158a4be6216b16250aa2f69e31ab86f7a3262cde49b2ed5df05c5b93619a24ce1a6a2183af10bbbb2d567a822e40a72c5
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5894773d841729486fde007f5923e7b35
SHA1083b5a97d257908ffad04d471ae1e58406733f1f
SHA256ba569a8b0ae8f0e5ab4925b47d475f05864574bb3d37b84a77a00bb802ded921
SHA512a89add1c0d62887d58c9775d2de6fb1d497510d636bd98e53802f733949094df603bdb481e8cfddd74e0feb55f08f6994f1b5fe37bda026d73a27fda802f4e4e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD517c24eb2385c9d933e7d3bdfdc516f30
SHA17e3919575f9691be2b5b5350c83791fbe515315b
SHA256c7e1fdb7edf1fe4feda7be790865a53f3a6ee0ba942ef28af30144f598d0eafb
SHA512e36ec456a466d339a6598e9326e1f456082d98f330b1873ec5519779266c09f0d1d6586b480938cb8ba052baf912bd7d4628ee6331ef284d1c73eae34c5aae7b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c7a5f1581ff9c94e85d672acdafb7f9a
SHA1913b4c5cf9a10ce8a96ff8f9d046cc9b20867c97
SHA25676c7982e708af2917b07bc50739466eb5fd0a0612a608298f75517bbc2cbe05e
SHA5129a4a0b158347c1e77b4e6ec795bc3db76b35e81e4313b87ced28abd9f3e2a9682e19ec675badc91c6f8078e0d3c2ab49894186685598ec3e4c2fa526460a1a8b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c3ca31158c01605276693e8840b12c8c
SHA1a9eab290b7301d6ec3834d211a1e74a65963f808
SHA256828f391ab588b9e6e00848169f6e07883fb6484b63514d22c6a30105954b9dc1
SHA5123278f5d869a8626cace5ccdc60a902f1a623b5577e589cb19d0bc7a3b1ab4463d1355a5bbd8c9a06f15d6b905ec5b27936d7d8139342aa30cec0f789fb4f23c0
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD59d592cb605ac5a45202be154a3b6176d
SHA1e97404bdd56a1a14439bbce22a9206e209ba23a0
SHA256424ff62a66400959fea14d26c742328195dd553aef456db5b917f66973e5a6c2
SHA512491b8c6a9adc343f4cc9e7c86387ed5ad58df399926607c2845b6ceb6e588420e0d90b5d1db1fd55a508a2544865a19048d6669b22921cd702b155ddaac8f102
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5790a83b1ff8d065c3509de81a10055a7
SHA16bcd38ce86229d9d9ed39b2d0293123694d68d16
SHA256b008a6e5c3fe98f33ebb1bf559e83b3ca49ef94513c7927f4dfec47874b987e4
SHA512a852d0df44b1b7daefe5e1edfd444f8f102029d0829de1a97d2c927aba910e9f3b08911e049a1253730344459970b95dba2cbc86bd13a33a11c0e3d38c696068
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD519a2f2a790da1dd05165025327a0a409
SHA1c85d194c386b577b6c6dd4b6e4615053bfedd525
SHA256927c56c1c68d377d0d9a679e1f9e0304662c96219117d2c450cf59c2002c9cb3
SHA5129822ecc47dd59f5a3f59d5e024698b5f53d705775682b699ecc082ddd0c0c81de53aa188735808cc89201490ceaace8019d0874e1f3fff7c0de4615ffa459e47
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52214555e1f368a9523856fd8ff3ad849
SHA1d4af9cb42b90c94bc75d67a0e61bed7b51b76558
SHA256acd156d8f0c20691cff1093ccaf666c783d736dc2b8c701bad503d88794994aa
SHA51267470f0334ba3bf15a86faff2a598f01d95c90664f80eb7297fa8add374022ee6ff906a3322ce52df6dcc1decb21ab2b7e54dbaa31b028f6d93058cc174eb4e1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c92318d24038a56b673f85b8beaa85fa
SHA12f31eac1ed20df4a8c526703bed101b6407b3830
SHA2564fd4d7685172c82a3f2cdc52a0500034c03de2e46c3d4c493997be2f702b1c42
SHA5127249fabe0b49466dd9ad47bc9dcdda3011619aef2816d9dc046b6051bc7229d2b7095ce72e8f48cd6b325600bb031a9105334b0f48b3a321995529ee13050055
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c8f5637c610b6c9dc475c33d8e057533
SHA1f7df0b3547b0c889653a2b2704a93ca814ca6cc4
SHA256e337617ffed683c3f5b58c2fda8061bc51a659d6ffbbbe394b6c395c1503eb68
SHA5126a51ff4a215ccb45f422e3b8b55acb7e9dfeb45258dcc8dd5dab2ee4bbd252784c57be9da017faf877463e9c93a8c6e5f60746ab5fd6f72be5514cca245f7304
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD525f3e66b8034e9d021ba54f317bc092b
SHA12977ae44f268a6da3dfba127c46a67009ecac282
SHA256d2fdc213b884c68e32f3fa3b8b5eb9f5c8251628f0272b2fc47475bfa31e7617
SHA51297a642c5d1df717da3356b88b2340d17a7d2b3b0993a63a1ffcb22afc8b0674a8d627a06b7c97cbd6231226392c6239fb964897ec9033fc79520b8267f0ab453
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54d531347451bd6a15d7ddf451d7d87da
SHA137b738a8fc015921eca6e5607b067fe0358006ee
SHA25691f949eecee14ffec8da85aa0bec40150f8ab8b8e9084a5fde25ded5c47f1987
SHA512147da50f6df0fea03fe85d54a200334225466bd1f9e227897976aa3c2e95acdead6414846d9a625dc973b0b0a155d74b0d90349da9d6e7ec8d40dfd6115bc458
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5392b8755868360bc1bbedcd6da618f0b
SHA114d82a5815c3fdca7d911b43e5ce84bc21eeaede
SHA256c66f1efa5eda342d4ba6a1eaba7f554950fca6c7f42fc4ef4a743227dc0c3c7e
SHA512f13e289f521d8e8e698dc0cfda9e6dc144bfdfb3f40c74bdd5c74a2791425e59d3b04124707fa6a28f39c3cc7f4ba60d200a029854fee45eb6e97c7e3ee1cc77
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD59bee6751ac57d84f4d35cb8ff32cea4c
SHA12d88e5d09037ae7f12da25ee6b4e157413e372e9
SHA256fcfaac6c9144fda0a173a9908879b0c18ae25343f8776b935b703a7332660846
SHA5129f4a863c52cb2e81a5ca40e168b5b9e6aef83bd3110a189a53f52a53e23dbba5ef7f932a161ab6f85529d8388a9217802c73869d4993bb9c432d13c858e384b0
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57c768daa8a3ce501f6106e7419d0c762
SHA113bbbf5ca5bb5f2e517eb1cb67f099383218514b
SHA25686247a0352b55e2ceeec970f63fb8ae726e0c7332230d5641cea2635402c8e03
SHA512b26bf912281278ef12be75dece10ee122a31cac83b6c43867c993305f7441d210467b17bae6beee7879512716855467a94d94283399048adb7039554a9c5e4b6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50be71ead811028c04a911f3c7dac5c5d
SHA1a8cc58807afd14d182408d069e42ba125f617d01
SHA256f973da8d3dffa0a316fb653062644863c5aa1c480cebd2f899761987e91f2c8e
SHA5127f6f11aba6e69f442324a60b3f5b657d6b4c33e6550fe429fb9838202b2af9ff66c0870695d49fbead57195ba635124c81aa4ec048d5fc85b82dbe50d41ab214
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD535cbf787c31ecbcf47ab3190180dddca
SHA15ea2534936a370ac878cbba1d39d77fd07cb6520
SHA256284778eb5ea1af99bfd459f91a48ebba760bc7082401d65f63b9644c45fcfaa0
SHA5129141e750d4542a0d47d4ab558c4d31fa0427a49e19241619f90988b0b90d8b6053d78abeb99d925be322279dd9344f329c4c5e1d206ca89228703a3ed13f187e
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\winlogin\winlogin.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/564-20-0x0000000000400000-0x000000000051F000-memory.dmpFilesize
1.1MB
-
memory/564-17-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/564-18-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/2028-0-0x0000000074672000-0x0000000074673000-memory.dmpFilesize
4KB
-
memory/2028-1-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/2028-9-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/3616-7-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3616-6-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3616-80-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3616-4-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3616-12-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/3616-13-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/3616-3-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3616-2-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3616-16-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB