Analysis
-
max time kernel
78s -
max time network
78s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
24-03-2023 13:31
General
-
Target
Officeexploit.exe
-
Size
6.9MB
-
MD5
c862188d5b7ff565649a8910e1de5567
-
SHA1
fb2136bbcd0906b1475aa9fcc6b60aa73b1e60c8
-
SHA256
e177f76028426973fee6f4da522dc1c3a2b7cc8ee47ba1d3ca9ae5388f415c61
-
SHA512
8d07661c05f19f8773ef3a1aae063374fb7f24425acf45c068d567eaf1afb61a12b3026c8a13f9e24100835f26ccf2871f155d2b1f9b8a121fa9097827aaacde
-
SSDEEP
49152:G2iFjtp/eaXvBINUm0lcMvzDhQozYgCfg85UQn4lK5iTkV8u9HUIWz/OrZHzlcvG:GPjG
Malware Config
Extracted
asyncrat
VenomRAT_HVNC 5.0.4
Venom Clients
0.tcp.in.ngrok.io:16536
ddzucoqijfsxpd
-
delay
0
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 3 IoCs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Officeexploit.exe"C:\Users\Admin\AppData\Local\Temp\Officeexploit.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Office Exploit Builder.exe"C:\Users\Admin\AppData\Local\Temp\Office Exploit Builder.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-1LQSJ.tmp\Installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-1LQSJ.tmp\Installer.tmp" /SL5="$D005C,374260,57856,C:\Users\Admin\AppData\Local\Temp\Installer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Roaming\Avira Antivir\avirascan.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSchtasks.exe /create /F /tn "Avira routine scan" /tr "C:\Users\Admin\AppData\Roaming\Avira Antivir\Check for updates.bat" /SC DAILY6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\xcopy.exexcopy /s /y /k /f "C:\Users\Admin\AppData\Roaming\Avira Antivir\Check for updates.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"6⤵
- Drops startup file
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Roaming\Avira Antivir\check for updates.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Avira Antivir\quiet.exe"C:\Users\Admin\AppData\Roaming\Avira Antivir\quiet.exe" "C:\Users\Admin\AppData\Roaming\Avira Antivir\Updater.bat"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Avira Antivir\Updater.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 998⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\The Silent Office Exploit.exe"C:\Users\Admin\AppData\Local\Temp\The Silent Office Exploit.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.exeFilesize
65KB
MD5817f181c907b3889ca7bfb5b04f6a9d3
SHA1ae308f1f09986d147031da9fd095e3481e4f7ceb
SHA25652970cb84ea90b32d4987479fdf494e8f383de0b4a55bb7b08af604a4a174a3a
SHA5128d0374abcf16ca0fb2efe95f6f6d1d7b4b988df55118b0e9c33aa0caadda5906bba6f93f256423089200ff18786f11a3a14b3b6fef724d5315cd8e21e6667aea
-
C:\Users\Admin\AppData\Local\Temp\Client.exeFilesize
65KB
MD5817f181c907b3889ca7bfb5b04f6a9d3
SHA1ae308f1f09986d147031da9fd095e3481e4f7ceb
SHA25652970cb84ea90b32d4987479fdf494e8f383de0b4a55bb7b08af604a4a174a3a
SHA5128d0374abcf16ca0fb2efe95f6f6d1d7b4b988df55118b0e9c33aa0caadda5906bba6f93f256423089200ff18786f11a3a14b3b6fef724d5315cd8e21e6667aea
-
C:\Users\Admin\AppData\Local\Temp\Installer.exeFilesize
606KB
MD5b0718c86ba8028a17ee525161811c4d0
SHA199f17bd173013f13b3e6030bf657a30fe610222f
SHA256d34c28898bd28772b36aaf98bc479740c5b5874dcf8f11079d3b004dd4088d21
SHA5128a6a4e1222a9eaddfaa14b0174714e59368417d8d42d4471edd38c32f9b83ce1dd7195941e7cb3f11c3d67679b0a6e530d416683e4ba363eb1a5905f35093bd1
-
C:\Users\Admin\AppData\Local\Temp\Installer.exeFilesize
606KB
MD5b0718c86ba8028a17ee525161811c4d0
SHA199f17bd173013f13b3e6030bf657a30fe610222f
SHA256d34c28898bd28772b36aaf98bc479740c5b5874dcf8f11079d3b004dd4088d21
SHA5128a6a4e1222a9eaddfaa14b0174714e59368417d8d42d4471edd38c32f9b83ce1dd7195941e7cb3f11c3d67679b0a6e530d416683e4ba363eb1a5905f35093bd1
-
C:\Users\Admin\AppData\Local\Temp\MaSil.jpgFilesize
61KB
MD54d6304f5916a069832fa8d74dd2cfb2d
SHA10089026bd3e315b58d870819c216f2c847b73329
SHA2560ef3a013cd9eea356e603218ea94d06c4cf755653f5aca7ad5c585496f4b886e
SHA5125c8e05c7f5302a51750c50c30ce615c4d0436791d0bad8156c793e24c5d45aea4d445c1c7a3a1928b0c751f4fa773a26b16434e31a14b9e9a1a7e511318ecfd5
-
C:\Users\Admin\AppData\Local\Temp\Office Exploit Builder.exeFilesize
4.9MB
MD578cf3331470873f42d662efad2eb64d8
SHA1dcb9e84753f80eebca89b199937c5742af5b57d3
SHA2566c2cee928da960619a18ed576c1f2370c2c0a9c13021071687ee0674b376873c
SHA5128db868afd841b42a91d8eec07dd3d299317c6e0118c6bc176e6b104b1713168fbcfd93eb788b83366225f5de35a1dd143e72121f7ee60ff4ca0aaf7cf4655bf4
-
C:\Users\Admin\AppData\Local\Temp\Office Exploit Builder.exeFilesize
4.9MB
MD578cf3331470873f42d662efad2eb64d8
SHA1dcb9e84753f80eebca89b199937c5742af5b57d3
SHA2566c2cee928da960619a18ed576c1f2370c2c0a9c13021071687ee0674b376873c
SHA5128db868afd841b42a91d8eec07dd3d299317c6e0118c6bc176e6b104b1713168fbcfd93eb788b83366225f5de35a1dd143e72121f7ee60ff4ca0aaf7cf4655bf4
-
C:\Users\Admin\AppData\Local\Temp\The Silent Office Exploit.exeFilesize
2.9MB
MD5ca4e8e14b4dafe8261283960dc8245fd
SHA130a3779aea814e34d9d2883d44bb7656b40dfa00
SHA256faedc4de24b7a95481839771c8fa25fe3ac9c3d9bd41ed270fda2e2c788390b9
SHA5120274cd9329f6c25960adf9d15c403166dab0fe1772a57161dad331ceec7c0c2f4301099a1221869f51e53b95a05f31767c2414ef6a81c85927dbf99f8f1dc212
-
C:\Users\Admin\AppData\Local\Temp\The Silent Office Exploit.exeFilesize
2.9MB
MD5ca4e8e14b4dafe8261283960dc8245fd
SHA130a3779aea814e34d9d2883d44bb7656b40dfa00
SHA256faedc4de24b7a95481839771c8fa25fe3ac9c3d9bd41ed270fda2e2c788390b9
SHA5120274cd9329f6c25960adf9d15c403166dab0fe1772a57161dad331ceec7c0c2f4301099a1221869f51e53b95a05f31767c2414ef6a81c85927dbf99f8f1dc212
-
C:\Users\Admin\AppData\Local\Temp\autB0D7.tmpFilesize
239KB
MD529e1d5770184bf45139084bced50d306
SHA176c953cd86b013c3113f8495b656bd721be55e76
SHA256794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307
SHA5127cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8
-
C:\Users\Admin\AppData\Local\Temp\bls.icoFilesize
29KB
MD56ba6bd9cfea50f40d00d379429cdba84
SHA125e2b324117be7641b804f530d48de70d61d1fe6
SHA2563f55eb2aeb5cc8078ec9510d056ab18f5fed34058efc4117e470ee70e50276a2
SHA5126c1a287ec00bff3abc5c5d645f84d5516f37f40d44332052370e48cec4b4ccd514451037e848dd51f4788bef86f2b6c3b77117874f1c3a476b1cd2bf44dd7e33
-
C:\Users\Admin\AppData\Local\Temp\is-1LQSJ.tmp\Installer.tmpFilesize
697KB
MD5832dab307e54aa08f4b6cdd9b9720361
SHA1ebd007fb7482040ecf34339e4bf917209c1018df
SHA256cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3
SHA512358d43522fd460eb1511708e4df22ea454a95e5bc3c4841931027b5fa3fb1dda05d496d8ad0a8b9279b99e6be74220fe243db8f08ef49845e9fb35c350ef4b49
-
C:\Users\Admin\AppData\Roaming\Avira Antivir\Avirascan.batFilesize
278B
MD5c5347b386e62d29d71236f2e92d59caf
SHA14f0fe82c67bb7cdc11980b8cb7526f2feee24c18
SHA25673d625af69ee45fcf6f0756f917be5c3d82d007c3f17e5218621e4010aca7172
SHA51232bf4e641601d474b2d78f64b4a6da24aac46fa187efdfbe33b9d9d7edbfb3cb69aa2762d5680f30291b2bbb0bb6e241a68669c379a56451cdea67615abfe612
-
C:\Users\Admin\AppData\Roaming\Avira Antivir\Check for updates.batFilesize
73B
MD5024330b14a7ff3f666924ecdd425eaf7
SHA16e299a5a46b95e103f256a899acfaea2d0550c3f
SHA256f42c6c70b972ac04f1343ed23e9f0805e164649172227cad5340ff800a705e7d
SHA512c3659b0c051c4921b364ee1193346b8cae3f944d7a856292c56a90d26cac44ab461e4c3778c9228af72ad7182a87b560a1287a23ba37b3cf77d16e9d5e602ab4
-
C:\Users\Admin\AppData\Roaming\Avira Antivir\Updater.batFilesize
307B
MD58db3c21b4ef4430c8b2200c3f58f4c97
SHA10e48001d4c86569efac4563ef5f450877e475849
SHA256fb9c2b634bb11797952bd2516b656f7e64c332cfc8c1db86a30ae136d3887dbf
SHA5129c2b24db32ded9d73026cf18bd0d9d02abfbb7ebd17ef668064cad1746043589598281c43d9e3782254213fc647278f4abc6fb9d1d9e5c298fba9b65f0912056
-
C:\Users\Admin\AppData\Roaming\Avira Antivir\quiet.exeFilesize
136KB
MD5935809d393a2bf9f0e886a41ff5b98be
SHA11ed3fc1669115b309624480e88c924b7b67e73bb
SHA256c92904610319843578ada35fb483d219b0d07da69179d57c7e1223cab078492c
SHA51246bccaaba4b8b4cfa247f48b55998d13b37f714ac69f6b08a97b6b8075f61233545406bc9f8db7d2848f1831eeb506da650b72d7d3a2f624e51eccd5fc537bc5
-
C:\Users\Admin\AppData\Roaming\Avira Antivir\quiet.exeFilesize
136KB
MD5935809d393a2bf9f0e886a41ff5b98be
SHA11ed3fc1669115b309624480e88c924b7b67e73bb
SHA256c92904610319843578ada35fb483d219b0d07da69179d57c7e1223cab078492c
SHA51246bccaaba4b8b4cfa247f48b55998d13b37f714ac69f6b08a97b6b8075f61233545406bc9f8db7d2848f1831eeb506da650b72d7d3a2f624e51eccd5fc537bc5
-
\Users\Admin\AppData\Local\Temp\skin.dllFilesize
239KB
MD529e1d5770184bf45139084bced50d306
SHA176c953cd86b013c3113f8495b656bd721be55e76
SHA256794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307
SHA5127cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8
-
\Users\Admin\AppData\Local\Temp\skin.xwez8.msstylesFilesize
1.1MB
MD5719c51f5637d922e8416e23d0978b8cb
SHA1ebfc5fe2fcf48a36505716e997b1e2fab6365d85
SHA2566cf0bf46c9ee98fde7eb4dbc0b147e33babeabf9b1f50a4722e29dd57e95ef09
SHA512129a355ca1ace8c8ce7254c285d5e90b55941f18ff5fcaf6109aa502d18f543b7596493ce69c0bc167ce41bdc8622d4bf8529ecbd88fb0d9f963bfbcb91e24ae
-
\Users\Admin\AppData\Local\Temp\skin.xwez8.msstylesFilesize
1.1MB
MD5719c51f5637d922e8416e23d0978b8cb
SHA1ebfc5fe2fcf48a36505716e997b1e2fab6365d85
SHA2566cf0bf46c9ee98fde7eb4dbc0b147e33babeabf9b1f50a4722e29dd57e95ef09
SHA512129a355ca1ace8c8ce7254c285d5e90b55941f18ff5fcaf6109aa502d18f543b7596493ce69c0bc167ce41bdc8622d4bf8529ecbd88fb0d9f963bfbcb91e24ae
-
memory/1700-262-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2112-236-0x00000000757B0000-0x000000007589F000-memory.dmpFilesize
956KB
-
memory/2112-250-0x0000000073C00000-0x0000000074F48000-memory.dmpFilesize
19.3MB
-
memory/2112-429-0x0000000010000000-0x00000000100BB000-memory.dmpFilesize
748KB
-
memory/2112-319-0x0000000010000000-0x00000000100BB000-memory.dmpFilesize
748KB
-
memory/2112-287-0x0000000073C00000-0x0000000074F48000-memory.dmpFilesize
19.3MB
-
memory/2112-202-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-203-0x00000000756D0000-0x0000000075747000-memory.dmpFilesize
476KB
-
memory/2112-204-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-205-0x00000000756D0000-0x0000000075747000-memory.dmpFilesize
476KB
-
memory/2112-206-0x00000000756D0000-0x0000000075747000-memory.dmpFilesize
476KB
-
memory/2112-208-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-209-0x00000000756D0000-0x0000000075747000-memory.dmpFilesize
476KB
-
memory/2112-210-0x0000000010000000-0x00000000100BB000-memory.dmpFilesize
748KB
-
memory/2112-285-0x0000000073C00000-0x0000000074F48000-memory.dmpFilesize
19.3MB
-
memory/2112-211-0x00000000756A0000-0x00000000756C5000-memory.dmpFilesize
148KB
-
memory/2112-216-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-226-0x00000000756A0000-0x00000000756C5000-memory.dmpFilesize
148KB
-
memory/2112-225-0x00000000756D0000-0x0000000075747000-memory.dmpFilesize
476KB
-
memory/2112-227-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-228-0x00000000756A0000-0x00000000756C5000-memory.dmpFilesize
148KB
-
memory/2112-229-0x00000000757B0000-0x000000007589F000-memory.dmpFilesize
956KB
-
memory/2112-286-0x000000006FA80000-0x000000006FC8E000-memory.dmpFilesize
2.1MB
-
memory/2112-230-0x0000000073C00000-0x0000000074F48000-memory.dmpFilesize
19.3MB
-
memory/2112-232-0x0000000076270000-0x0000000076361000-memory.dmpFilesize
964KB
-
memory/2112-233-0x000000006FA80000-0x000000006FC8E000-memory.dmpFilesize
2.1MB
-
memory/2112-234-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-235-0x0000000076050000-0x00000000761A9000-memory.dmpFilesize
1.3MB
-
memory/2112-284-0x000000006FA80000-0x000000006FC8E000-memory.dmpFilesize
2.1MB
-
memory/2112-237-0x0000000076B00000-0x0000000076B45000-memory.dmpFilesize
276KB
-
memory/2112-283-0x0000000073C00000-0x0000000074F48000-memory.dmpFilesize
19.3MB
-
memory/2112-240-0x0000000073C00000-0x0000000074F48000-memory.dmpFilesize
19.3MB
-
memory/2112-241-0x0000000076270000-0x0000000076361000-memory.dmpFilesize
964KB
-
memory/2112-243-0x0000000072420000-0x0000000072498000-memory.dmpFilesize
480KB
-
memory/2112-244-0x0000000076530000-0x0000000076676000-memory.dmpFilesize
1.3MB
-
memory/2112-242-0x000000006FA80000-0x000000006FC8E000-memory.dmpFilesize
2.1MB
-
memory/2112-282-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-281-0x0000000070F80000-0x0000000070FA3000-memory.dmpFilesize
140KB
-
memory/2112-248-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-249-0x00000000757B0000-0x000000007589F000-memory.dmpFilesize
956KB
-
memory/2112-280-0x0000000076530000-0x0000000076676000-memory.dmpFilesize
1.3MB
-
memory/2112-251-0x000000006FA80000-0x000000006FC8E000-memory.dmpFilesize
2.1MB
-
memory/2112-252-0x0000000072420000-0x0000000072498000-memory.dmpFilesize
480KB
-
memory/2112-253-0x00000000757B0000-0x000000007589F000-memory.dmpFilesize
956KB
-
memory/2112-254-0x0000000073C00000-0x0000000074F48000-memory.dmpFilesize
19.3MB
-
memory/2112-255-0x000000006FA80000-0x000000006FC8E000-memory.dmpFilesize
2.1MB
-
memory/2112-256-0x0000000072420000-0x0000000072498000-memory.dmpFilesize
480KB
-
memory/2112-279-0x0000000072420000-0x0000000072498000-memory.dmpFilesize
480KB
-
memory/2112-257-0x00000000756A0000-0x00000000756C5000-memory.dmpFilesize
148KB
-
memory/2112-259-0x0000000076530000-0x0000000076676000-memory.dmpFilesize
1.3MB
-
memory/2112-260-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-261-0x00000000757B0000-0x000000007589F000-memory.dmpFilesize
956KB
-
memory/2112-278-0x000000006FA80000-0x000000006FC8E000-memory.dmpFilesize
2.1MB
-
memory/2112-264-0x000000006FA80000-0x000000006FC8E000-memory.dmpFilesize
2.1MB
-
memory/2112-263-0x0000000073C00000-0x0000000074F48000-memory.dmpFilesize
19.3MB
-
memory/2112-265-0x0000000072420000-0x0000000072498000-memory.dmpFilesize
480KB
-
memory/2112-267-0x0000000076530000-0x0000000076676000-memory.dmpFilesize
1.3MB
-
memory/2112-277-0x0000000076270000-0x0000000076361000-memory.dmpFilesize
964KB
-
memory/2112-270-0x0000000076050000-0x00000000761A9000-memory.dmpFilesize
1.3MB
-
memory/2112-274-0x0000000073C00000-0x0000000074F48000-memory.dmpFilesize
19.3MB
-
memory/2112-268-0x0000000000A80000-0x0000000000D68000-memory.dmpFilesize
2.9MB
-
memory/2112-273-0x0000000076B00000-0x0000000076B45000-memory.dmpFilesize
276KB
-
memory/2112-272-0x00000000757B0000-0x000000007589F000-memory.dmpFilesize
956KB
-
memory/3076-271-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/3076-207-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4108-276-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4108-149-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4156-121-0x0000000002C80000-0x0000000002C90000-memory.dmpFilesize
64KB
-
memory/4296-269-0x000000001B850000-0x000000001B860000-memory.dmpFilesize
64KB
-
memory/4296-128-0x000000001B850000-0x000000001B860000-memory.dmpFilesize
64KB
-
memory/4296-127-0x0000000000B80000-0x0000000000B96000-memory.dmpFilesize
88KB
-
memory/4340-138-0x0000000007990000-0x0000000007E8E000-memory.dmpFilesize
5.0MB
-
memory/4340-137-0x00000000073F0000-0x000000000748C000-memory.dmpFilesize
624KB
-
memory/4340-139-0x0000000007490000-0x0000000007522000-memory.dmpFilesize
584KB
-
memory/4340-136-0x0000000007140000-0x0000000007150000-memory.dmpFilesize
64KB
-
memory/4340-140-0x00000000073C0000-0x00000000073CA000-memory.dmpFilesize
40KB
-
memory/4340-141-0x00000000076B0000-0x0000000007706000-memory.dmpFilesize
344KB
-
memory/4340-135-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4340-144-0x0000000007140000-0x0000000007150000-memory.dmpFilesize
64KB
