Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-05-2021 09:07
Static task
static1
Behavioral task
behavioral1
Sample
COVID 19 IVN AND CREW LIST.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
COVID 19 IVN AND CREW LIST.xlsx
Resource
win10v20210410
General
-
Target
COVID 19 IVN AND CREW LIST.xlsx
-
Size
628KB
-
MD5
c64491aa41027a5b0df3658bbc85ae47
-
SHA1
dee8920d1755a26544f73cfbc66a0abb9aca7670
-
SHA256
5299caa8131b3b21fb96123e8b9d0ce675bfa5287df1e0703e192e5087e40591
-
SHA512
f70e1efab4dff9f781b7a7312cb144d8f10a5691d4b560d0b5f77a96d3d33ce66f264a7f32e061a60bfe19cfe7c74ee1974e3f1d35ffc8807b05fb7614b279a9
Malware Config
Extracted
remcos
wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 852 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
DJK.exeDJK.exewin.exewin.exewin.exepid process 1516 DJK.exe 1580 DJK.exe 1524 win.exe 1572 win.exe 1320 win.exe -
Loads dropped DLL 7 IoCs
Processes:
EQNEDT32.EXEWerFault.execmd.exepid process 852 EQNEDT32.EXE 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe 1492 cmd.exe 564 WerFault.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
win.exeDJK.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ win.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\"" win.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ DJK.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\"" DJK.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
DJK.exewin.exepid process 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 1524 win.exe 1524 win.exe 1524 win.exe 1524 win.exe 1524 win.exe 1524 win.exe 1524 win.exe 1524 win.exe 1524 win.exe 1524 win.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
DJK.exewin.exedescription pid process target process PID 1516 set thread context of 1580 1516 DJK.exe DJK.exe PID 1524 set thread context of 1320 1524 win.exe win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 564 1516 WerFault.exe DJK.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 1324 timeout.exe 1676 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 684 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
DJK.exeWerFault.exewin.exepid process 1516 DJK.exe 1516 DJK.exe 1516 DJK.exe 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe 1524 win.exe 1524 win.exe 1524 win.exe 1524 win.exe 1524 win.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
win.exepid process 1320 win.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DJK.exeWerFault.exewin.exedescription pid process Token: SeDebugPrivilege 1516 DJK.exe Token: SeDebugPrivilege 564 WerFault.exe Token: SeDebugPrivilege 1524 win.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEwin.exepid process 684 EXCEL.EXE 684 EXCEL.EXE 684 EXCEL.EXE 1320 win.exe 684 EXCEL.EXE 684 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EQNEDT32.EXEEXCEL.EXEDJK.execmd.exeDJK.exeWScript.execmd.exewin.execmd.exedescription pid process target process PID 852 wrote to memory of 1516 852 EQNEDT32.EXE DJK.exe PID 852 wrote to memory of 1516 852 EQNEDT32.EXE DJK.exe PID 852 wrote to memory of 1516 852 EQNEDT32.EXE DJK.exe PID 852 wrote to memory of 1516 852 EQNEDT32.EXE DJK.exe PID 684 wrote to memory of 1476 684 EXCEL.EXE splwow64.exe PID 684 wrote to memory of 1476 684 EXCEL.EXE splwow64.exe PID 684 wrote to memory of 1476 684 EXCEL.EXE splwow64.exe PID 684 wrote to memory of 1476 684 EXCEL.EXE splwow64.exe PID 1516 wrote to memory of 1104 1516 DJK.exe cmd.exe PID 1516 wrote to memory of 1104 1516 DJK.exe cmd.exe PID 1516 wrote to memory of 1104 1516 DJK.exe cmd.exe PID 1516 wrote to memory of 1104 1516 DJK.exe cmd.exe PID 1104 wrote to memory of 1324 1104 cmd.exe timeout.exe PID 1104 wrote to memory of 1324 1104 cmd.exe timeout.exe PID 1104 wrote to memory of 1324 1104 cmd.exe timeout.exe PID 1104 wrote to memory of 1324 1104 cmd.exe timeout.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1516 wrote to memory of 1580 1516 DJK.exe DJK.exe PID 1580 wrote to memory of 1604 1580 DJK.exe WScript.exe PID 1580 wrote to memory of 1604 1580 DJK.exe WScript.exe PID 1580 wrote to memory of 1604 1580 DJK.exe WScript.exe PID 1580 wrote to memory of 1604 1580 DJK.exe WScript.exe PID 1516 wrote to memory of 564 1516 DJK.exe WerFault.exe PID 1516 wrote to memory of 564 1516 DJK.exe WerFault.exe PID 1516 wrote to memory of 564 1516 DJK.exe WerFault.exe PID 1516 wrote to memory of 564 1516 DJK.exe WerFault.exe PID 1604 wrote to memory of 1492 1604 WScript.exe cmd.exe PID 1604 wrote to memory of 1492 1604 WScript.exe cmd.exe PID 1604 wrote to memory of 1492 1604 WScript.exe cmd.exe PID 1604 wrote to memory of 1492 1604 WScript.exe cmd.exe PID 1492 wrote to memory of 1524 1492 cmd.exe win.exe PID 1492 wrote to memory of 1524 1492 cmd.exe win.exe PID 1492 wrote to memory of 1524 1492 cmd.exe win.exe PID 1492 wrote to memory of 1524 1492 cmd.exe win.exe PID 1524 wrote to memory of 316 1524 win.exe cmd.exe PID 1524 wrote to memory of 316 1524 win.exe cmd.exe PID 1524 wrote to memory of 316 1524 win.exe cmd.exe PID 1524 wrote to memory of 316 1524 win.exe cmd.exe PID 316 wrote to memory of 1676 316 cmd.exe timeout.exe PID 316 wrote to memory of 1676 316 cmd.exe timeout.exe PID 316 wrote to memory of 1676 316 cmd.exe timeout.exe PID 316 wrote to memory of 1676 316 cmd.exe timeout.exe PID 1524 wrote to memory of 1572 1524 win.exe win.exe PID 1524 wrote to memory of 1572 1524 win.exe win.exe PID 1524 wrote to memory of 1572 1524 win.exe win.exe PID 1524 wrote to memory of 1572 1524 win.exe win.exe PID 1524 wrote to memory of 1320 1524 win.exe win.exe PID 1524 wrote to memory of 1320 1524 win.exe win.exe PID 1524 wrote to memory of 1320 1524 win.exe win.exe PID 1524 wrote to memory of 1320 1524 win.exe win.exe PID 1524 wrote to memory of 1320 1524 win.exe win.exe PID 1524 wrote to memory of 1320 1524 win.exe win.exe PID 1524 wrote to memory of 1320 1524 win.exe win.exe PID 1524 wrote to memory of 1320 1524 win.exe win.exe PID 1524 wrote to memory of 1320 1524 win.exe win.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\COVID 19 IVN AND CREW LIST.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DJK.exe"C:\Users\Admin\AppData\Roaming\DJK.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\DJK.exe"C:\Users\Admin\AppData\Roaming\DJK.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win.exe"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\win.exeC:\Users\Admin\AppData\Roaming\win.exe6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 18⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\win.exe"C:\Users\Admin\AppData\Roaming\win.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\win.exe"C:\Users\Admin\AppData\Roaming\win.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 9283⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
4a74e626596d6e66b4bbc59ee6848f2d
SHA1047849ac8735ecc0943428c7cd5e00b52eee06ed
SHA25698bd6dc219a7a3e04d3d67bbec9f0b4d4640831a3a6be0a0078b050041088b0e
SHA5121cd943482d0f1ce2ffaf6ee4a82895e4d57c52051bb14bbda0548cf072b4c5cbe719d2cdb549b5ae7c0241dd9c68dd9d1674acd26aed684b8145500079cc5403
-
C:\Users\Admin\AppData\Roaming\DJK.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
C:\Users\Admin\AppData\Roaming\DJK.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
C:\Users\Admin\AppData\Roaming\DJK.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
C:\Users\Admin\AppData\Roaming\win.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
C:\Users\Admin\AppData\Roaming\win.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
C:\Users\Admin\AppData\Roaming\win.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
C:\Users\Admin\AppData\Roaming\win.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
\Users\Admin\AppData\Roaming\DJK.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
\Users\Admin\AppData\Roaming\DJK.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
\Users\Admin\AppData\Roaming\DJK.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
\Users\Admin\AppData\Roaming\DJK.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
\Users\Admin\AppData\Roaming\DJK.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
\Users\Admin\AppData\Roaming\DJK.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
\Users\Admin\AppData\Roaming\win.exeMD5
56626bf21f8de8d051d744973cb2566c
SHA1af13b7b6844342fd2b2784bb01df9a780be5acbe
SHA256495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859
SHA512694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925
-
memory/316-100-0x0000000000000000-mapping.dmp
-
memory/564-97-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/564-84-0x0000000000000000-mapping.dmp
-
memory/684-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/684-61-0x00000000711F1000-0x00000000711F3000-memory.dmpFilesize
8KB
-
memory/684-60-0x000000002FE01000-0x000000002FE04000-memory.dmpFilesize
12KB
-
memory/852-63-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB
-
memory/1104-74-0x0000000000000000-mapping.dmp
-
memory/1320-107-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1320-104-0x0000000000413FA4-mapping.dmp
-
memory/1324-75-0x0000000000000000-mapping.dmp
-
memory/1476-69-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmpFilesize
8KB
-
memory/1476-68-0x0000000000000000-mapping.dmp
-
memory/1492-89-0x0000000000000000-mapping.dmp
-
memory/1516-73-0x0000000006270000-0x0000000006271000-memory.dmpFilesize
4KB
-
memory/1516-72-0x00000000002A0000-0x00000000002DD000-memory.dmpFilesize
244KB
-
memory/1516-70-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/1516-65-0x0000000000000000-mapping.dmp
-
memory/1524-92-0x0000000000000000-mapping.dmp
-
memory/1524-99-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/1524-94-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/1580-81-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1580-76-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1580-77-0x0000000000413FA4-mapping.dmp
-
memory/1604-80-0x0000000000000000-mapping.dmp
-
memory/1676-101-0x0000000000000000-mapping.dmp