Analysis
-
max time kernel
11s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07-02-2021 05:29
Static task
static1
Behavioral task
behavioral1
Sample
XER-34T.msi
Resource
win7v20201028
Behavioral task
behavioral2
Sample
XER-34T.msi
Resource
win10v20201028
Errors
General
-
Target
XER-34T.msi
-
Size
1.8MB
-
MD5
aedde70fbec3b017bced97e32323e559
-
SHA1
4ee6cb0632af8cfe1c7b4e57918aae1a9c28682d
-
SHA256
32d4a464dae9552b1a5aaf8b95c1f22d3f99ebd112245fa1a3719ad12fa26ed6
-
SHA512
4f744b6758df23d81ea1190519687b926cd506191db081ad32cf01c2b6e05d7ebd207e1cf19147c5ba65894daad389d1c5a3919c1dfe32a5da6592001355f276
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 6 1968 MsiExec.exe -
Loads dropped DLL 9 IoCs
Processes:
MsiExec.exepid process 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdminlxSWM© = "\"C:\\AdminlxSWM©\\pwzmw©.exe\"" reg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI2DAA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2E95.tmp msiexec.exe File opened for modification C:\Windows\Installer\f74256b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2607.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI284A.tmp msiexec.exe File created C:\Windows\Installer\f74256b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2899.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2CBF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2F90.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4323.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI27EC.tmp msiexec.exe File created C:\Windows\Installer\f74256d.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI31A3.tmp msiexec.exe File opened for modification C:\Windows\Installer\f74256d.ipi msiexec.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1076 msiexec.exe 1076 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 1108 msiexec.exe Token: SeIncreaseQuotaPrivilege 1108 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeSecurityPrivilege 1076 msiexec.exe Token: SeCreateTokenPrivilege 1108 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1108 msiexec.exe Token: SeLockMemoryPrivilege 1108 msiexec.exe Token: SeIncreaseQuotaPrivilege 1108 msiexec.exe Token: SeMachineAccountPrivilege 1108 msiexec.exe Token: SeTcbPrivilege 1108 msiexec.exe Token: SeSecurityPrivilege 1108 msiexec.exe Token: SeTakeOwnershipPrivilege 1108 msiexec.exe Token: SeLoadDriverPrivilege 1108 msiexec.exe Token: SeSystemProfilePrivilege 1108 msiexec.exe Token: SeSystemtimePrivilege 1108 msiexec.exe Token: SeProfSingleProcessPrivilege 1108 msiexec.exe Token: SeIncBasePriorityPrivilege 1108 msiexec.exe Token: SeCreatePagefilePrivilege 1108 msiexec.exe Token: SeCreatePermanentPrivilege 1108 msiexec.exe Token: SeBackupPrivilege 1108 msiexec.exe Token: SeRestorePrivilege 1108 msiexec.exe Token: SeShutdownPrivilege 1108 msiexec.exe Token: SeDebugPrivilege 1108 msiexec.exe Token: SeAuditPrivilege 1108 msiexec.exe Token: SeSystemEnvironmentPrivilege 1108 msiexec.exe Token: SeChangeNotifyPrivilege 1108 msiexec.exe Token: SeRemoteShutdownPrivilege 1108 msiexec.exe Token: SeUndockPrivilege 1108 msiexec.exe Token: SeSyncAgentPrivilege 1108 msiexec.exe Token: SeEnableDelegationPrivilege 1108 msiexec.exe Token: SeManageVolumePrivilege 1108 msiexec.exe Token: SeImpersonatePrivilege 1108 msiexec.exe Token: SeCreateGlobalPrivilege 1108 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeShutdownPrivilege 1764 shutdown.exe Token: SeRemoteShutdownPrivilege 1764 shutdown.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1108 msiexec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1108 msiexec.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
msiexec.exeMsiExec.execmd.execmd.exedescription pid process target process PID 1076 wrote to memory of 1968 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1968 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1968 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1968 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1968 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1968 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1968 1076 msiexec.exe MsiExec.exe PID 1968 wrote to memory of 1356 1968 MsiExec.exe cmd.exe PID 1968 wrote to memory of 1356 1968 MsiExec.exe cmd.exe PID 1968 wrote to memory of 1356 1968 MsiExec.exe cmd.exe PID 1968 wrote to memory of 1356 1968 MsiExec.exe cmd.exe PID 1968 wrote to memory of 2020 1968 MsiExec.exe cmd.exe PID 1968 wrote to memory of 2020 1968 MsiExec.exe cmd.exe PID 1968 wrote to memory of 2020 1968 MsiExec.exe cmd.exe PID 1968 wrote to memory of 2020 1968 MsiExec.exe cmd.exe PID 1356 wrote to memory of 1180 1356 cmd.exe reg.exe PID 1356 wrote to memory of 1180 1356 cmd.exe reg.exe PID 1356 wrote to memory of 1180 1356 cmd.exe reg.exe PID 1356 wrote to memory of 1180 1356 cmd.exe reg.exe PID 2020 wrote to memory of 1764 2020 cmd.exe shutdown.exe PID 2020 wrote to memory of 1764 2020 cmd.exe shutdown.exe PID 2020 wrote to memory of 1764 2020 cmd.exe shutdown.exe PID 2020 wrote to memory of 1764 2020 cmd.exe shutdown.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\XER-34T.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8932425E99B203F82412F47651068C312⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminlxSWM©" /t reg_sz /d "\"C:\AdminlxSWM©\pwzmw©.exe\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminlxSWM©" /t reg_sz /d "\"C:\AdminlxSWM©\pwzmw©.exe\"4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN shutdown -r -f -t 003⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 004⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI2607.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
C:\Windows\Installer\MSI27EC.tmpMD5
a3b4d222a755f43b34a0963f13f77500
SHA1e3bd216f35434287197082745b9f789b9a4f93c6
SHA2569692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
SHA5127baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50
-
C:\Windows\Installer\MSI284A.tmpMD5
a3b4d222a755f43b34a0963f13f77500
SHA1e3bd216f35434287197082745b9f789b9a4f93c6
SHA2569692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
SHA5127baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50
-
C:\Windows\Installer\MSI2899.tmpMD5
c1b635990fad0fcce9eea1cdb72860f0
SHA1d32e1f9ccbec61d87597bf9345999c0290156544
SHA2564f6922e784cad973e2dd5c8896cffab49b8f92a6b1516ed53e93ade76495bc16
SHA5124f646210e200e2f432a7af8c965ec5f84180242bc34d0315c3ac21e277a3163d24287e9f14b479532389e498bf1aef80387c0357b2bba85b53f0f9c206f0c12a
-
C:\Windows\Installer\MSI2CBF.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
C:\Windows\Installer\MSI2DAA.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
C:\Windows\Installer\MSI2E95.tmpMD5
a3b4d222a755f43b34a0963f13f77500
SHA1e3bd216f35434287197082745b9f789b9a4f93c6
SHA2569692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
SHA5127baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50
-
C:\Windows\Installer\MSI2F90.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
C:\Windows\Installer\MSI4323.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
\Windows\Installer\MSI2607.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
\Windows\Installer\MSI27EC.tmpMD5
a3b4d222a755f43b34a0963f13f77500
SHA1e3bd216f35434287197082745b9f789b9a4f93c6
SHA2569692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
SHA5127baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50
-
\Windows\Installer\MSI284A.tmpMD5
a3b4d222a755f43b34a0963f13f77500
SHA1e3bd216f35434287197082745b9f789b9a4f93c6
SHA2569692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
SHA5127baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50
-
\Windows\Installer\MSI2899.tmpMD5
c1b635990fad0fcce9eea1cdb72860f0
SHA1d32e1f9ccbec61d87597bf9345999c0290156544
SHA2564f6922e784cad973e2dd5c8896cffab49b8f92a6b1516ed53e93ade76495bc16
SHA5124f646210e200e2f432a7af8c965ec5f84180242bc34d0315c3ac21e277a3163d24287e9f14b479532389e498bf1aef80387c0357b2bba85b53f0f9c206f0c12a
-
\Windows\Installer\MSI2CBF.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
\Windows\Installer\MSI2DAA.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
\Windows\Installer\MSI2E95.tmpMD5
a3b4d222a755f43b34a0963f13f77500
SHA1e3bd216f35434287197082745b9f789b9a4f93c6
SHA2569692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
SHA5127baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50
-
\Windows\Installer\MSI2F90.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
\Windows\Installer\MSI4323.tmpMD5
be4faa40a5ff233859aa72eb1fcd1350
SHA19bd945f1885cce39f5b5e42de0916b206868b12f
SHA25670731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863
SHA512fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf
-
memory/1108-30-0x00000000024C0000-0x00000000024C4000-memory.dmpFilesize
16KB
-
memory/1108-2-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmpFilesize
8KB
-
memory/1180-25-0x0000000000000000-mapping.dmp
-
memory/1356-33-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/1356-23-0x0000000000000000-mapping.dmp
-
memory/1636-32-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/1764-26-0x0000000000000000-mapping.dmp
-
memory/1968-4-0x0000000000000000-mapping.dmp
-
memory/1968-22-0x0000000001ED0000-0x0000000001ED1000-memory.dmpFilesize
4KB
-
memory/1968-5-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB
-
memory/2020-24-0x0000000000000000-mapping.dmp