Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 06:22
Static task
static1
Behavioral task
behavioral1
Sample
EASTEND.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
EASTEND.doc
Resource
win10v20201028
General
-
Target
EASTEND.doc
-
Size
299KB
-
MD5
4ba5af0ca862e168e6be9b311c19d023
-
SHA1
489c5f20f70391e817a1b2406f164b789094c376
-
SHA256
91a88238f5b4dc93a3626e9fc6cf1c5e10b5690153bac179606128380fb45142
-
SHA512
36ee5ddeadf4cb447b52810174173b8919b7ecd93659cf091ba1f5aab79618b4a416807b3feb6e42eb7a0a2e19e5d63dcbfb412cd54245e04afe535c3f4213e9
Malware Config
Extracted
remcos
gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu:2177
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 664 EQNEDT32.EXE -
Executes dropped EXE 4 IoCs
Processes:
JAK.exeJAK.exewin.exewin.exepid process 1876 JAK.exe 1660 JAK.exe 1156 win.exe 1844 win.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEcmd.exepid process 664 EQNEDT32.EXE 664 EQNEDT32.EXE 1056 cmd.exe 1056 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
JAK.exewin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ JAK.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\"" JAK.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ win.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\"" win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
Processes:
JAK.exewin.exepid process 1876 JAK.exe 1876 JAK.exe 1876 JAK.exe 1876 JAK.exe 1876 JAK.exe 1876 JAK.exe 1876 JAK.exe 1876 JAK.exe 1156 win.exe 1156 win.exe 1156 win.exe 1156 win.exe 1156 win.exe 1156 win.exe 1156 win.exe 1156 win.exe 1156 win.exe 1156 win.exe 1156 win.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
JAK.exewin.exedescription pid process target process PID 1876 set thread context of 1660 1876 JAK.exe JAK.exe PID 1156 set thread context of 1844 1156 win.exe win.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 6 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1664 timeout.exe 1880 timeout.exe 1868 timeout.exe 1660 timeout.exe 1112 timeout.exe 1372 timeout.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1340 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
JAK.exewin.exepid process 1876 JAK.exe 1876 JAK.exe 1876 JAK.exe 1156 win.exe 1156 win.exe 1156 win.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
JAK.exewin.exedescription pid process Token: SeDebugPrivilege 1876 JAK.exe Token: SeDebugPrivilege 1156 win.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEwin.exepid process 1340 WINWORD.EXE 1340 WINWORD.EXE 1844 win.exe -
Suspicious use of WriteProcessMemory 86 IoCs
Processes:
EQNEDT32.EXEJAK.execmd.execmd.execmd.exeJAK.exeWScript.execmd.exewin.execmd.execmd.exedescription pid process target process PID 664 wrote to memory of 1876 664 EQNEDT32.EXE JAK.exe PID 664 wrote to memory of 1876 664 EQNEDT32.EXE JAK.exe PID 664 wrote to memory of 1876 664 EQNEDT32.EXE JAK.exe PID 664 wrote to memory of 1876 664 EQNEDT32.EXE JAK.exe PID 1876 wrote to memory of 1104 1876 JAK.exe cmd.exe PID 1876 wrote to memory of 1104 1876 JAK.exe cmd.exe PID 1876 wrote to memory of 1104 1876 JAK.exe cmd.exe PID 1876 wrote to memory of 1104 1876 JAK.exe cmd.exe PID 1104 wrote to memory of 1112 1104 cmd.exe timeout.exe PID 1104 wrote to memory of 1112 1104 cmd.exe timeout.exe PID 1104 wrote to memory of 1112 1104 cmd.exe timeout.exe PID 1104 wrote to memory of 1112 1104 cmd.exe timeout.exe PID 1876 wrote to memory of 1044 1876 JAK.exe cmd.exe PID 1876 wrote to memory of 1044 1876 JAK.exe cmd.exe PID 1876 wrote to memory of 1044 1876 JAK.exe cmd.exe PID 1876 wrote to memory of 1044 1876 JAK.exe cmd.exe PID 1044 wrote to memory of 1372 1044 cmd.exe timeout.exe PID 1044 wrote to memory of 1372 1044 cmd.exe timeout.exe PID 1044 wrote to memory of 1372 1044 cmd.exe timeout.exe PID 1044 wrote to memory of 1372 1044 cmd.exe timeout.exe PID 1876 wrote to memory of 1848 1876 JAK.exe cmd.exe PID 1876 wrote to memory of 1848 1876 JAK.exe cmd.exe PID 1876 wrote to memory of 1848 1876 JAK.exe cmd.exe PID 1876 wrote to memory of 1848 1876 JAK.exe cmd.exe PID 1848 wrote to memory of 1664 1848 cmd.exe timeout.exe PID 1848 wrote to memory of 1664 1848 cmd.exe timeout.exe PID 1848 wrote to memory of 1664 1848 cmd.exe timeout.exe PID 1848 wrote to memory of 1664 1848 cmd.exe timeout.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1876 wrote to memory of 1660 1876 JAK.exe JAK.exe PID 1660 wrote to memory of 316 1660 JAK.exe WScript.exe PID 1660 wrote to memory of 316 1660 JAK.exe WScript.exe PID 1660 wrote to memory of 316 1660 JAK.exe WScript.exe PID 1660 wrote to memory of 316 1660 JAK.exe WScript.exe PID 316 wrote to memory of 1056 316 WScript.exe cmd.exe PID 316 wrote to memory of 1056 316 WScript.exe cmd.exe PID 316 wrote to memory of 1056 316 WScript.exe cmd.exe PID 316 wrote to memory of 1056 316 WScript.exe cmd.exe PID 1056 wrote to memory of 1156 1056 cmd.exe win.exe PID 1056 wrote to memory of 1156 1056 cmd.exe win.exe PID 1056 wrote to memory of 1156 1056 cmd.exe win.exe PID 1056 wrote to memory of 1156 1056 cmd.exe win.exe PID 1156 wrote to memory of 692 1156 win.exe cmd.exe PID 1156 wrote to memory of 692 1156 win.exe cmd.exe PID 1156 wrote to memory of 692 1156 win.exe cmd.exe PID 1156 wrote to memory of 692 1156 win.exe cmd.exe PID 692 wrote to memory of 1880 692 cmd.exe timeout.exe PID 692 wrote to memory of 1880 692 cmd.exe timeout.exe PID 692 wrote to memory of 1880 692 cmd.exe timeout.exe PID 692 wrote to memory of 1880 692 cmd.exe timeout.exe PID 1156 wrote to memory of 960 1156 win.exe cmd.exe PID 1156 wrote to memory of 960 1156 win.exe cmd.exe PID 1156 wrote to memory of 960 1156 win.exe cmd.exe PID 1156 wrote to memory of 960 1156 win.exe cmd.exe PID 960 wrote to memory of 1868 960 cmd.exe timeout.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\EASTEND.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\JAK.exeC:\Users\Admin\AppData\Roaming\JAK.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\JAK.exe"C:\Users\Admin\AppData\Roaming\JAK.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win.exe"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\win.exeC:\Users\Admin\AppData\Roaming\win.exe6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 18⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 18⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 17⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 18⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\win.exe"C:\Users\Admin\AppData\Roaming\win.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
4a74e626596d6e66b4bbc59ee6848f2d
SHA1047849ac8735ecc0943428c7cd5e00b52eee06ed
SHA25698bd6dc219a7a3e04d3d67bbec9f0b4d4640831a3a6be0a0078b050041088b0e
SHA5121cd943482d0f1ce2ffaf6ee4a82895e4d57c52051bb14bbda0548cf072b4c5cbe719d2cdb549b5ae7c0241dd9c68dd9d1674acd26aed684b8145500079cc5403
-
C:\Users\Admin\AppData\Roaming\JAK.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
C:\Users\Admin\AppData\Roaming\JAK.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
C:\Users\Admin\AppData\Roaming\JAK.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
C:\Users\Admin\AppData\Roaming\win.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
C:\Users\Admin\AppData\Roaming\win.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
C:\Users\Admin\AppData\Roaming\win.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
\Users\Admin\AppData\Roaming\JAK.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
\Users\Admin\AppData\Roaming\JAK.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
\Users\Admin\AppData\Roaming\win.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
\Users\Admin\AppData\Roaming\win.exeMD5
140dad8ce059a70557bac14f9a3c27ec
SHA124448bacf3d60298271a4ba5b8d1a0691077a94e
SHA256ceff53de4e1a493db5485f8281c011a98df2c5baa4ac0f8b18757f97501bd48a
SHA5121a3cf7c55530ffd9d2c1342a318ac5405febe11ca972b26611c1d62bc13144be4ffdb94871c564a6a331771f62f50dd11868fcfc4a594a6159fb90cee223b1f0
-
memory/316-27-0x0000000000000000-mapping.dmp
-
memory/664-5-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/692-42-0x0000000000000000-mapping.dmp
-
memory/960-44-0x0000000000000000-mapping.dmp
-
memory/1044-19-0x0000000000000000-mapping.dmp
-
memory/1056-31-0x0000000000000000-mapping.dmp
-
memory/1104-16-0x0000000000000000-mapping.dmp
-
memory/1112-18-0x0000000000000000-mapping.dmp
-
memory/1156-38-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/1156-35-0x0000000000000000-mapping.dmp
-
memory/1156-41-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1156-37-0x000000006B210000-0x000000006B8FE000-memory.dmpFilesize
6.9MB
-
memory/1336-46-0x0000000000000000-mapping.dmp
-
memory/1340-3-0x0000000070651000-0x0000000070653000-memory.dmpFilesize
8KB
-
memory/1340-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1340-2-0x0000000072BD1000-0x0000000072BD4000-memory.dmpFilesize
12KB
-
memory/1372-20-0x0000000000000000-mapping.dmp
-
memory/1540-6-0x000007FEF7D20000-0x000007FEF7F9A000-memory.dmpFilesize
2.5MB
-
memory/1660-30-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1660-47-0x0000000000000000-mapping.dmp
-
memory/1660-24-0x0000000000413FA4-mapping.dmp
-
memory/1660-23-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1664-22-0x0000000000000000-mapping.dmp
-
memory/1844-52-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1844-49-0x0000000000413FA4-mapping.dmp
-
memory/1848-21-0x0000000000000000-mapping.dmp
-
memory/1868-45-0x0000000000000000-mapping.dmp
-
memory/1876-9-0x0000000000000000-mapping.dmp
-
memory/1876-12-0x000000006B600000-0x000000006BCEE000-memory.dmpFilesize
6.9MB
-
memory/1876-13-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/1876-15-0x0000000000290000-0x00000000002C0000-memory.dmpFilesize
192KB
-
memory/1876-17-0x0000000004300000-0x0000000004301000-memory.dmpFilesize
4KB
-
memory/1880-43-0x0000000000000000-mapping.dmp