Analysis
-
max time kernel
193s -
max time network
222s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 18:12
Behavioral task
behavioral1
Sample
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe
Resource
win10v2004-20221111-en
General
-
Target
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe
-
Size
101KB
-
MD5
73c3b1ed77b34f3521b9c4ec3b1d8025
-
SHA1
ee9dd2e2ddb20d4d4ef1e869f10284f42ca881b3
-
SHA256
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894
-
SHA512
736cb56a67a3767730ce41e09ba878ee56454fbde70a22f8d9112ab95a2c48a3ff3d63394d35f0651b0ade434a01390b86f145b77acd0024cf2c631da8d09f8c
-
SSDEEP
1536:JxqjQ+P04wsmJCIcdHGe/jITeo/Mds0S1Kq7w7DXP:sr85CIcBGe/jITeokdK1187D/
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
Processes:
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exesvchost.comTrojan.exepid process 3676 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe 1948 svchost.com 4784 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Drops file in Program Files directory 42 IoCs
Processes:
svchost.com3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe svchost.com -
Drops file in Windows directory 6 IoCs
Processes:
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exesvchost.comTrojan.exe3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exedescription ioc process File opened for modification C:\Windows\5qfsNWybqKe0UvWe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\5qfsNWybqKe0UvWe Trojan.exe File opened for modification C:\Windows\svchost.com 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe File created C:\Windows\5qfsNWybqKe0UvWe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exeTrojan.exepid process 3676 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe 4784 Trojan.exe 4784 Trojan.exe 4784 Trojan.exe 4784 Trojan.exe 4784 Trojan.exe 4784 Trojan.exe 4784 Trojan.exe 4784 Trojan.exe 4784 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exeTrojan.exedescription pid process Token: SeDebugPrivilege 3676 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe Token: SeDebugPrivilege 4784 Trojan.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exesvchost.comTrojan.exedescription pid process target process PID 4916 wrote to memory of 3676 4916 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe PID 4916 wrote to memory of 3676 4916 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe PID 4916 wrote to memory of 3676 4916 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe PID 3676 wrote to memory of 1948 3676 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe svchost.com PID 3676 wrote to memory of 1948 3676 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe svchost.com PID 3676 wrote to memory of 1948 3676 3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe svchost.com PID 1948 wrote to memory of 4784 1948 svchost.com Trojan.exe PID 1948 wrote to memory of 4784 1948 svchost.com Trojan.exe PID 1948 wrote to memory of 4784 1948 svchost.com Trojan.exe PID 4784 wrote to memory of 2728 4784 Trojan.exe netsh.exe PID 4784 wrote to memory of 2728 4784 Trojan.exe netsh.exe PID 4784 wrote to memory of 2728 4784 Trojan.exe netsh.exe PID 4784 wrote to memory of 1172 4784 Trojan.exe dw20.exe PID 4784 wrote to memory of 1172 4784 Trojan.exe dw20.exe PID 4784 wrote to memory of 1172 4784 Trojan.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe"C:\Users\Admin\AppData\Local\Temp\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeC:\Users\Admin\AppData\Local\Temp\Trojan.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 12805⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exeFilesize
982KB
MD54e8c731e3175d6d2f5085fe55974e1db
SHA174604823bd1e5af86d66e4986c1203f2bf26e657
SHA2568a8d0905d868bc8b3bbd3545de42b459b3b517bb874365f911ff05ae71f90325
SHA512a058948f7a82ca4c14ea41527c66918e7737776f7af65b00888f3c39de416397821861ba4e77cdb8a738bc0136462d1256bc6447f0d105d929831a2b47c87485
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exeFilesize
61KB
MD57a292a3626d43c9b9de3e3cde8320334
SHA1a10b7e2117faccc4c46fd859143e5b14f8700d69
SHA2564c48fdffe1d4d21fe51ec53dc4046d54fb1af4c3f32818f17eef272e8ef9b919
SHA512f73a12cab3536e295fea2aced1587398e079378471884f08407f48810c3a879c1e3a0382d778ec28635c1daac5b8d65d20a8d63e0edd261a54a4d783a83f1cda
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exeFilesize
61KB
MD57a292a3626d43c9b9de3e3cde8320334
SHA1a10b7e2117faccc4c46fd859143e5b14f8700d69
SHA2564c48fdffe1d4d21fe51ec53dc4046d54fb1af4c3f32818f17eef272e8ef9b919
SHA512f73a12cab3536e295fea2aced1587398e079378471884f08407f48810c3a879c1e3a0382d778ec28635c1daac5b8d65d20a8d63e0edd261a54a4d783a83f1cda
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
61KB
MD57a292a3626d43c9b9de3e3cde8320334
SHA1a10b7e2117faccc4c46fd859143e5b14f8700d69
SHA2564c48fdffe1d4d21fe51ec53dc4046d54fb1af4c3f32818f17eef272e8ef9b919
SHA512f73a12cab3536e295fea2aced1587398e079378471884f08407f48810c3a879c1e3a0382d778ec28635c1daac5b8d65d20a8d63e0edd261a54a4d783a83f1cda
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
61KB
MD57a292a3626d43c9b9de3e3cde8320334
SHA1a10b7e2117faccc4c46fd859143e5b14f8700d69
SHA2564c48fdffe1d4d21fe51ec53dc4046d54fb1af4c3f32818f17eef272e8ef9b919
SHA512f73a12cab3536e295fea2aced1587398e079378471884f08407f48810c3a879c1e3a0382d778ec28635c1daac5b8d65d20a8d63e0edd261a54a4d783a83f1cda
-
C:\Windows\5qfsNWybqKe0UvWeFilesize
40B
MD581bdc05093573219d3999ea0bcf716e3
SHA189aef63d71557f1995f79a029073a13546b7dca7
SHA25636ac5faac9bb21a817c629bb00eecbcd7991a66313efc825150b74f809b04884
SHA512f196dda8b05f09cde36cee56473077892ad5d1e1d25cba0fb392983f32b9db22199ffc821d8e904602bb921e08e907916065a2d40157be721088e1c27f6d95e6
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/1172-150-0x0000000000000000-mapping.dmp
-
memory/1948-137-0x0000000000000000-mapping.dmp
-
memory/2728-147-0x0000000000000000-mapping.dmp
-
memory/3676-143-0x0000000073400000-0x00000000739B1000-memory.dmpFilesize
5.7MB
-
memory/3676-132-0x0000000000000000-mapping.dmp
-
memory/3676-136-0x0000000073400000-0x00000000739B1000-memory.dmpFilesize
5.7MB
-
memory/3676-135-0x0000000073400000-0x00000000739B1000-memory.dmpFilesize
5.7MB
-
memory/4784-141-0x0000000000000000-mapping.dmp
-
memory/4784-145-0x0000000073400000-0x00000000739B1000-memory.dmpFilesize
5.7MB
-
memory/4784-149-0x0000000073400000-0x00000000739B1000-memory.dmpFilesize
5.7MB