Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 21:44
Static task
static1
Behavioral task
behavioral1
Sample
order072724.docx
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
order072724.docx
Resource
win10v2004-20240709-en
General
-
Target
order072724.docx
-
Size
93KB
-
MD5
d89c00ac44e63c962db8c02cbf0bab93
-
SHA1
2ac1b269e93b1a0c0068b68d8d1d4f9e4a5cc06a
-
SHA256
5dc96311ffca3ae13e805020a61d276e2a2b1032e2ecc87a05f86c346e90d47c
-
SHA512
088c3b2a514fb1e5c504b29eb86302b8e8787e26dc6f6b0ea13ad6916676f16dc2650aa9b2a571c48fe6628311bd25f4a509830fd718b6444dac82308402739c
-
SSDEEP
1536:LMzw/hgP0QF6smQKEMzqsQtrm5rbXkvMtLQ6j7jfmMIGSzyn5ivkSVkkKLkJem5Y:o0Q8hjOXIrbXyMtE6j/EfvkS8LrQY
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 10 1960 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1784 powershell.exe 2492 powershell.exe -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
swagodi78811.scrswagodi78811.scrpid process 2496 swagodi78811.scr 1336 swagodi78811.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1960 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
swagodi78811.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 swagodi78811.scr Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 swagodi78811.scr Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 swagodi78811.scr -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.dyndns.org -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
swagodi78811.scrdescription pid process target process PID 2496 set thread context of 1336 2496 swagodi78811.scr swagodi78811.scr -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEswagodi78811.scrpowershell.exepowershell.exeschtasks.exeswagodi78811.scrWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swagodi78811.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swagodi78811.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2228 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
swagodi78811.scrswagodi78811.scrpowershell.exepowershell.exepid process 2496 swagodi78811.scr 2496 swagodi78811.scr 1336 swagodi78811.scr 1784 powershell.exe 2492 powershell.exe 1336 swagodi78811.scr -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
swagodi78811.scrswagodi78811.scrpowershell.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 2496 swagodi78811.scr Token: SeDebugPrivilege 1336 swagodi78811.scr Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeShutdownPrivilege 2228 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2228 WINWORD.EXE 2228 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEswagodi78811.scrdescription pid process target process PID 1960 wrote to memory of 2496 1960 EQNEDT32.EXE swagodi78811.scr PID 1960 wrote to memory of 2496 1960 EQNEDT32.EXE swagodi78811.scr PID 1960 wrote to memory of 2496 1960 EQNEDT32.EXE swagodi78811.scr PID 1960 wrote to memory of 2496 1960 EQNEDT32.EXE swagodi78811.scr PID 2228 wrote to memory of 2316 2228 WINWORD.EXE splwow64.exe PID 2228 wrote to memory of 2316 2228 WINWORD.EXE splwow64.exe PID 2228 wrote to memory of 2316 2228 WINWORD.EXE splwow64.exe PID 2228 wrote to memory of 2316 2228 WINWORD.EXE splwow64.exe PID 2496 wrote to memory of 1784 2496 swagodi78811.scr powershell.exe PID 2496 wrote to memory of 1784 2496 swagodi78811.scr powershell.exe PID 2496 wrote to memory of 1784 2496 swagodi78811.scr powershell.exe PID 2496 wrote to memory of 1784 2496 swagodi78811.scr powershell.exe PID 2496 wrote to memory of 2492 2496 swagodi78811.scr powershell.exe PID 2496 wrote to memory of 2492 2496 swagodi78811.scr powershell.exe PID 2496 wrote to memory of 2492 2496 swagodi78811.scr powershell.exe PID 2496 wrote to memory of 2492 2496 swagodi78811.scr powershell.exe PID 2496 wrote to memory of 1684 2496 swagodi78811.scr schtasks.exe PID 2496 wrote to memory of 1684 2496 swagodi78811.scr schtasks.exe PID 2496 wrote to memory of 1684 2496 swagodi78811.scr schtasks.exe PID 2496 wrote to memory of 1684 2496 swagodi78811.scr schtasks.exe PID 2496 wrote to memory of 1336 2496 swagodi78811.scr swagodi78811.scr PID 2496 wrote to memory of 1336 2496 swagodi78811.scr swagodi78811.scr PID 2496 wrote to memory of 1336 2496 swagodi78811.scr swagodi78811.scr PID 2496 wrote to memory of 1336 2496 swagodi78811.scr swagodi78811.scr PID 2496 wrote to memory of 1336 2496 swagodi78811.scr swagodi78811.scr PID 2496 wrote to memory of 1336 2496 swagodi78811.scr swagodi78811.scr PID 2496 wrote to memory of 1336 2496 swagodi78811.scr swagodi78811.scr PID 2496 wrote to memory of 1336 2496 swagodi78811.scr swagodi78811.scr PID 2496 wrote to memory of 1336 2496 swagodi78811.scr swagodi78811.scr -
outlook_office_path 1 IoCs
Processes:
swagodi78811.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 swagodi78811.scr -
outlook_win_path 1 IoCs
Processes:
swagodi78811.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 swagodi78811.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\order072724.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\swagodi78811.scr"C:\Users\Admin\AppData\Roaming\swagodi78811.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\swagodi78811.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gRpkBp.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gRpkBp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AF1.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\swagodi78811.scr"C:\Users\Admin\AppData\Roaming\swagodi78811.scr"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5f9e4de1d380d6fd564ebdb9500d93504
SHA1af802caea8c3da076b884af67b0527acd9905f6b
SHA256c917960d831207c2d86d56ded4f7b3da6ece5b05fc730039da2798ca6dcedfbe
SHA5126c4e63c0ed09f9b1ec8f0fd5922d8e15601750f280fda7a3df44ff1d269c693e778e0db91c28f0a9fbbaa708262c30dee5229addef1f7ec47a148cdaf985ea52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD5f0017039ebad1ed5e9e0238eb3b09b33
SHA12f1f313327f8cf4f967e3597f781c66ff5fc630f
SHA2567887c0cef07ef0e9bbc57eceb04ccf21573f690bd5bfcc8e9564b3b8c44f0249
SHA512438320327acfafa92bf207c304b30570441d1eb0b951a44780e90d5d5733b69fd149902f0278e45382f6a7c351e852649e51f8b6456cb5e5e956c1d04d1ce3b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD542503ec14d6278437c2d0fc67d44654e
SHA11bfed52b1e8fb67400210f8b5f7e7f3800207b54
SHA2564bd77dababc5c3f568f7a6ea12caba33c4410891d06c29c9502b6933f2a2a2b0
SHA512e78fc83dab8197c0d0b49b5c8239dc0265c15ec8f9cab03a73246ed91f53988719ace79aee1fc7d13a78c24f4c1328035753e1ab8c2b4481fa67e72cc6c4583f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD52441eb7a4b870b451c339d7082613c45
SHA1ab8ffa0b164a8dd9312b902ea15b1f6c76f9de8a
SHA2560abf14db5f829070f742180625189376eb1668d0e32b229a8f534fba0d12ed09
SHA5127c09df1c2c2d1ed70e4d16a6833d173fa9667fdb89f21aa09f5641dd101f0a07904d0107ab9394564d5cd0de510591e6dd3daffcc7a72a653154d5a80dc98ac8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5a3785b37e8c46e4b0837a32fab08ea53
SHA1c9458e9d42a4f85dcf14de0d29f3deb1cd4a0616
SHA256c7398f602e9d9157ce76b51770b302bc2b424aa81a0a60805cf7acb918e8fb8b
SHA512f0ace048f53da6e9eacbcb51ec1c6c58de5b338641f471960fcc6cbd7bc9895ce1b7deaa22347a8f7066efd670fc2d442e4f02656137cefacf7cce173b3f07c2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A8EEF6BE-D976-4807-A333-8EF19EC58378}.FSDFilesize
128KB
MD55231bb6513897f5dd6680996a68c8072
SHA1528489c607034ee45eb145c9fdc6a61f0a12d584
SHA2560967ec21c3ded6c9484ebc626ccc089d737c4aceb396d9d8eedc874808566475
SHA512fdd2650edb2c44970ce359d14c1ec6eec75839ec02c37787e59e7a1614e1cb38d68626142eaff5669c9aacecce8a742a484f7cefc3d20ecbed28a251c19ab2a7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\swagodi[1].docFilesize
694KB
MD505e14a71757a27a508d0324732e006fe
SHA154555f143881b2e53e44bc430bf709fc785f6bcf
SHA256eec7cf36ee9f2bb08b710c19227840d9fcb632c3dccdf756d5a46ce194290469
SHA512411e301fd70ccd8c16e2b85b37442387f9f3721a7bb24f236695da95714c814a207f0d4aaa29b67ed594e8aaaeb13562922373af7fc58622f33924371116878d
-
C:\Users\Admin\AppData\Local\Temp\Cab5715.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\tmp8AF1.tmpFilesize
1KB
MD5ed64fdf7ec460a65ea0f4bf18058eea9
SHA13c43df2241b815bc141b4663770ecd0a862a3d66
SHA25634a687abf67d5c11029f2c25a1b13a3942e4143a654149550444c9be97cabb65
SHA512bc000bc1a5829222e82c3de4096dbf2e3a4616134f10981aacb81df603a4c8c525c825bf30d17745af9d4a59107620311ef82b7d93c568d7a74e87cd6814ff96
-
C:\Users\Admin\AppData\Local\Temp\{3F48A58D-F99E-499E-BF73-8FA07EE079AF}Filesize
128KB
MD51b6cd6bda56ddd7df60aee19c058521d
SHA1abb093bde64f6159d73c4fa17398274934f861ff
SHA256f2656351dc39b4d6d1537a41c7835370a9beab16c5364f050cad76abea6387ca
SHA5123c08c17ba332a089ecb6dd03e56d7903c06b16830c6880d0d752c1ad501c23b08bc7028539264b49b7eca0cb2d6d45f30fa75bdac883a08bc3a5ea3a42e6ef09
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
274B
MD5ce63748eee22650099f6e2ed678f3464
SHA1eb3dad03a3cd8f8d96524b022b133bfd2cc1641f
SHA25633e18c02a43ac5b71263a8e20aefdfab8279580afb9f1cd2c1356a9ecbdc426d
SHA5120ed298754a9c9e9be202fc152d3b6c97cc208eced558d0d56232de4d047bf2adcb8f697eb691a11c8d6ec4c388f57098ba9e9ed7e5a0b42be280ba159cbc4eec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
19KB
MD5b636d25d7f851e939939bee8815c7b77
SHA1f25e8264e8d311747292725094696414c1edbbb5
SHA2567c81fa0389c7a4ac8edcc96cbbc7c61366e0146c7dc7770f63885c45a3b425ed
SHA512badf29c63ae8795e8c413e8585dda8d568d3f3c816b733e75d5e4fb566855859f390cc041e355234126d4cc34342158692ba8b6fb603652bf93b7849ceb50389
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WEJ6T3YJGCA111YC55K2.tempFilesize
7KB
MD50c9d80387030a4a6bc6b4eb974eb54e5
SHA1c8529dcb71f6f12d9b7902c39331ec7504f36aa5
SHA256d0bb30435b0e90f4fc88ef702d1172eb2c7a97e79b0cb299022b0f2b554e57ca
SHA5124769cc7b91f61f56cc7a41ce2027e59d8008c8a4b2f55ce4a598ac4465f5690bfd3f8b7339d2dea2648c14a77517693cf388f5964a7fd5095b6834581eabf5f5
-
C:\Users\Admin\AppData\Roaming\swagodi78811.scrFilesize
667KB
MD5c448536aeea36b80a15d639e31c7b847
SHA15225387e8d149e14a73f3d25a055b069750aefcc
SHA256490784a930fe7d630c926436c540441694c905a9cb1fe6b3c25d16c366d75492
SHA512e51b95996a95c7fc9ae4206a76642d8c4b59062bb49bc54931bdc1fda8a080f5f29451e71a3f63f2c3530d8d71b56f9e00482d38a6c645492932986523576f01
-
memory/1336-164-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1336-160-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1336-152-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1336-154-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1336-156-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1336-158-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1336-163-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1336-161-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/2228-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2228-0-0x000000002FF01000-0x000000002FF02000-memory.dmpFilesize
4KB
-
memory/2228-2-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/2228-165-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/2228-188-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2228-189-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/2496-127-0x0000000000390000-0x000000000039E000-memory.dmpFilesize
56KB
-
memory/2496-139-0x0000000005910000-0x000000000599C000-memory.dmpFilesize
560KB
-
memory/2496-138-0x0000000000570000-0x000000000057E000-memory.dmpFilesize
56KB
-
memory/2496-122-0x0000000000230000-0x00000000002DA000-memory.dmpFilesize
680KB