Analysis
-
max time kernel
137s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-04-2021 11:23
Static task
static1
Behavioral task
behavioral1
Sample
Orden de compra 1910003976.xlsm
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Orden de compra 1910003976.xlsm
Resource
win10v20210408
General
-
Target
Orden de compra 1910003976.xlsm
-
Size
71KB
-
MD5
8273a0b7226e7cceeab9c08cf12cbf9a
-
SHA1
1eccef99ee7b62212a4e2a8bcb1bde71095af728
-
SHA256
6994d0049b0cf4f69b76d397e421110d95f1408aaedfd827bd3906973e85f2fe
-
SHA512
b65ca73d6badf1d28e164388e096a0a3a06c2a6d29e11132242bee158b410c3b20b1db4dec976c2008f1b2d046a3f769f854ffdd33b733d650c532bdb67adcfd
Malware Config
Extracted
xpertrat
3.0.10
special X
ghytrty.duckdns.org:4145
spapertyy.duckdns.org:4145
L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0
Signatures
-
XpertRAT Core Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-87-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat behavioral1/memory/1644-88-0x0000000000401364-mapping.dmp xpertrat -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1844-97-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1844-98-0x0000000000411654-mapping.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1672-100-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral1/memory/1672-101-0x0000000000442F04-mapping.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1844-97-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1844-98-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1672-100-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral1/memory/1672-101-0x0000000000442F04-mapping.dmp Nirsoft behavioral1/memory/764-108-0x000000000040C2A8-mapping.dmp Nirsoft behavioral1/memory/764-107-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe" iexplore.exe -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 3 296 cscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
xpertee.exexpertee.exepid process 1328 xpertee.exe 1012 xpertee.exe -
Processes:
resource yara_rule behavioral1/memory/108-94-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1892-104-0x0000000000400000-0x0000000000416000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
cscript.exepid process 296 cscript.exe -
Processes:
xpertee.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" xpertee.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe" iexplore.exe -
Processes:
xpertee.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xpertee.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
xpertee.exexpertee.exeiexplore.exedescription pid process target process PID 1328 set thread context of 1012 1328 xpertee.exe xpertee.exe PID 1012 set thread context of 1644 1012 xpertee.exe iexplore.exe PID 1644 set thread context of 108 1644 iexplore.exe iexplore.exe PID 1644 set thread context of 1844 1644 iexplore.exe iexplore.exe PID 1644 set thread context of 1672 1644 iexplore.exe iexplore.exe PID 1644 set thread context of 1892 1644 iexplore.exe iexplore.exe PID 1644 set thread context of 764 1644 iexplore.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1992 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
xpertee.exepid process 1012 xpertee.exe 1012 xpertee.exe 1012 xpertee.exe 1012 xpertee.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iexplore.exeiexplore.exedescription pid process Token: SeDebugPrivilege 1644 iexplore.exe Token: SeDebugPrivilege 108 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXExpertee.exeiexplore.exepid process 1992 EXCEL.EXE 1992 EXCEL.EXE 1992 EXCEL.EXE 1012 xpertee.exe 1644 iexplore.exe 1992 EXCEL.EXE 1992 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EQNEDT32.EXEcmD.exewscript.execmd.execscript.exexpertee.exexpertee.exeiexplore.exedescription pid process target process PID 1776 wrote to memory of 1780 1776 EQNEDT32.EXE cmD.exe PID 1776 wrote to memory of 1780 1776 EQNEDT32.EXE cmD.exe PID 1776 wrote to memory of 1780 1776 EQNEDT32.EXE cmD.exe PID 1776 wrote to memory of 1780 1776 EQNEDT32.EXE cmD.exe PID 1780 wrote to memory of 740 1780 cmD.exe wscript.exe PID 1780 wrote to memory of 740 1780 cmD.exe wscript.exe PID 1780 wrote to memory of 740 1780 cmD.exe wscript.exe PID 1780 wrote to memory of 740 1780 cmD.exe wscript.exe PID 740 wrote to memory of 1064 740 wscript.exe cmd.exe PID 740 wrote to memory of 1064 740 wscript.exe cmd.exe PID 740 wrote to memory of 1064 740 wscript.exe cmd.exe PID 740 wrote to memory of 1064 740 wscript.exe cmd.exe PID 1064 wrote to memory of 296 1064 cmd.exe cscript.exe PID 1064 wrote to memory of 296 1064 cmd.exe cscript.exe PID 1064 wrote to memory of 296 1064 cmd.exe cscript.exe PID 1064 wrote to memory of 296 1064 cmd.exe cscript.exe PID 296 wrote to memory of 1328 296 cscript.exe xpertee.exe PID 296 wrote to memory of 1328 296 cscript.exe xpertee.exe PID 296 wrote to memory of 1328 296 cscript.exe xpertee.exe PID 296 wrote to memory of 1328 296 cscript.exe xpertee.exe PID 1328 wrote to memory of 1012 1328 xpertee.exe xpertee.exe PID 1328 wrote to memory of 1012 1328 xpertee.exe xpertee.exe PID 1328 wrote to memory of 1012 1328 xpertee.exe xpertee.exe PID 1328 wrote to memory of 1012 1328 xpertee.exe xpertee.exe PID 1328 wrote to memory of 1012 1328 xpertee.exe xpertee.exe PID 1328 wrote to memory of 1012 1328 xpertee.exe xpertee.exe PID 1328 wrote to memory of 1012 1328 xpertee.exe xpertee.exe PID 1328 wrote to memory of 1012 1328 xpertee.exe xpertee.exe PID 1012 wrote to memory of 1644 1012 xpertee.exe iexplore.exe PID 1012 wrote to memory of 1644 1012 xpertee.exe iexplore.exe PID 1012 wrote to memory of 1644 1012 xpertee.exe iexplore.exe PID 1012 wrote to memory of 1644 1012 xpertee.exe iexplore.exe PID 1012 wrote to memory of 1644 1012 xpertee.exe iexplore.exe PID 1012 wrote to memory of 1644 1012 xpertee.exe iexplore.exe PID 1012 wrote to memory of 1644 1012 xpertee.exe iexplore.exe PID 1012 wrote to memory of 1644 1012 xpertee.exe iexplore.exe PID 1012 wrote to memory of 1644 1012 xpertee.exe iexplore.exe PID 1644 wrote to memory of 108 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 108 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 108 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 108 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 108 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 108 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 108 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 108 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 108 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1844 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1672 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1672 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1672 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1672 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1672 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1672 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1672 1644 iexplore.exe iexplore.exe PID 1644 wrote to memory of 1672 1644 iexplore.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
xpertee.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xpertee.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orden de compra 1910003976.xlsm"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmD.execmD /c ReN %TMp%\x x& WSCrIpT %tmp%\x?..wsf C2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeWSCrIpT C:\Users\Admin\AppData\Local\Temp\x?..wsf C3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\xx.vbs5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\xpertee.exe"C:\ProgramData\xpertee.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\xpertee.exe"{path}"7⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\xpertee.exe8⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq0.txt"9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq1.txt"9⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq2.txt"9⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq3.txt"9⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq4.txt"9⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xpertee.exeMD5
47eb0c8afe69369e294c97c91d1867e8
SHA1eefb321afb609d01531be6719900aeb1f3bb9f06
SHA256c9717d2b9c4eb9e99cfabeca61561f4fa1cd91c19a76f97a104010cb601f3553
SHA51248dd8657c569627d149ac2a88e30a9f3fb166eb67e06d5afc0de69c3b427699698cebea6212209e76057ce2163d20cd05965f595de6692431be31db814eba769
-
C:\ProgramData\xpertee.exeMD5
47eb0c8afe69369e294c97c91d1867e8
SHA1eefb321afb609d01531be6719900aeb1f3bb9f06
SHA256c9717d2b9c4eb9e99cfabeca61561f4fa1cd91c19a76f97a104010cb601f3553
SHA51248dd8657c569627d149ac2a88e30a9f3fb166eb67e06d5afc0de69c3b427699698cebea6212209e76057ce2163d20cd05965f595de6692431be31db814eba769
-
C:\ProgramData\xpertee.exeMD5
47eb0c8afe69369e294c97c91d1867e8
SHA1eefb321afb609d01531be6719900aeb1f3bb9f06
SHA256c9717d2b9c4eb9e99cfabeca61561f4fa1cd91c19a76f97a104010cb601f3553
SHA51248dd8657c569627d149ac2a88e30a9f3fb166eb67e06d5afc0de69c3b427699698cebea6212209e76057ce2163d20cd05965f595de6692431be31db814eba769
-
C:\Users\Admin\AppData\Local\Temp\xMD5
0ab52e21d3c1a5f5e3cb43d18626d20b
SHA1dc760533e54978f6e21a16f902cb0bf4c1931eaa
SHA2561bd644e26916660b7cf18d4f93793f79eea6dcf5988af427e7c8b60eb84cc90b
SHA5121db34001656eb5e00ddcb71b057d567f751333a58e9f4a120f4645c05cb3d02969bcad8f2e6c317074ec2ad4af76d37ac778bc1a3a4f3387016893462975040a
-
C:\Users\Admin\AppData\Local\Temp\xxMD5
1ba140c23eacb39108e7eb3e33843fd9
SHA1952fa4c1ae57ef16b92515f465a2bb001859b9ff
SHA256e02242e5b868bedd0664ff75761b008b2d585a41c6754cdc4805142681c76903
SHA5128039ca3b5099d485736772c6d69265ade0170c68181da83cf8ceb055e15a1234d0eb12cc21569cde8db3a882fa098c36fec34b04a934af235e31c79168a29624
-
C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq2.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq4.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\ProgramData\xpertee.exeMD5
47eb0c8afe69369e294c97c91d1867e8
SHA1eefb321afb609d01531be6719900aeb1f3bb9f06
SHA256c9717d2b9c4eb9e99cfabeca61561f4fa1cd91c19a76f97a104010cb601f3553
SHA51248dd8657c569627d149ac2a88e30a9f3fb166eb67e06d5afc0de69c3b427699698cebea6212209e76057ce2163d20cd05965f595de6692431be31db814eba769
-
memory/108-95-0x0000000000423BC0-mapping.dmp
-
memory/108-94-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/296-70-0x0000000000000000-mapping.dmp
-
memory/740-66-0x0000000000000000-mapping.dmp
-
memory/764-108-0x000000000040C2A8-mapping.dmp
-
memory/764-107-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1012-82-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1012-83-0x00000000004010B8-mapping.dmp
-
memory/1064-69-0x0000000000000000-mapping.dmp
-
memory/1328-81-0x00000000048A0000-0x00000000048FC000-memory.dmpFilesize
368KB
-
memory/1328-76-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/1328-80-0x0000000005ED0000-0x0000000005F7B000-memory.dmpFilesize
684KB
-
memory/1328-79-0x0000000000320000-0x000000000032E000-memory.dmpFilesize
56KB
-
memory/1328-78-0x0000000004860000-0x0000000004861000-memory.dmpFilesize
4KB
-
memory/1328-73-0x0000000000000000-mapping.dmp
-
memory/1644-87-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1644-88-0x0000000000401364-mapping.dmp
-
memory/1644-89-0x0000000000450000-0x00000000005A3000-memory.dmpFilesize
1.3MB
-
memory/1672-101-0x0000000000442F04-mapping.dmp
-
memory/1672-100-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1776-63-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1780-64-0x0000000000000000-mapping.dmp
-
memory/1844-97-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1844-98-0x0000000000411654-mapping.dmp
-
memory/1892-104-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1892-105-0x0000000000413750-mapping.dmp
-
memory/1992-60-0x000000002F0F1000-0x000000002F0F4000-memory.dmpFilesize
12KB
-
memory/1992-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1992-61-0x0000000071B91000-0x0000000071B93000-memory.dmpFilesize
8KB