Analysis
-
max time kernel
96s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 17:14
Static task
static1
Behavioral task
behavioral1
Sample
7d35396b85f32777a8a70cbff172be4d037ec8609236d697a3ff4d0b76a8cdb4.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7d35396b85f32777a8a70cbff172be4d037ec8609236d697a3ff4d0b76a8cdb4.msi
Resource
win10v2004-20221111-en
General
-
Target
7d35396b85f32777a8a70cbff172be4d037ec8609236d697a3ff4d0b76a8cdb4.msi
-
Size
660KB
-
MD5
ab21353bfd48417fc6ee294d83904b61
-
SHA1
6c7cfdc49060d361b2fdbe5a02c2372a290ee651
-
SHA256
7d35396b85f32777a8a70cbff172be4d037ec8609236d697a3ff4d0b76a8cdb4
-
SHA512
ed23c1548db2d40fbc69634876c6c12b105dbd8968498c971427dd1214a23429af48b3925066de79fc9c1fc70c6b6d212ca3d1d76baba6086c90bf559697fc64
-
SSDEEP
12288:rwHL0D7vkCPumy9chfA+tm5O//V777777LwmqLcQF3uI:cHL0f/zyt+E5OX63F3uI
Malware Config
Extracted
icedid
3451073236
aslowigza.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 1768 rundll32.exe 4 1768 rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1928 MsiExec.exe 752 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
rundll32.exemsiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\MSI8EC9.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI8EC9.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\6c8def.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI8EC9.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\6c8dee.msi msiexec.exe File opened for modification C:\Windows\Installer\6c8dee.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8EC9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8EC9.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\6c8df1.msi msiexec.exe File opened for modification C:\Windows\Installer\6c8def.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI9EFF.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 972 msiexec.exe 972 msiexec.exe 1768 rundll32.exe 1768 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1380 msiexec.exe Token: SeIncreaseQuotaPrivilege 1380 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeTakeOwnershipPrivilege 972 msiexec.exe Token: SeSecurityPrivilege 972 msiexec.exe Token: SeCreateTokenPrivilege 1380 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1380 msiexec.exe Token: SeLockMemoryPrivilege 1380 msiexec.exe Token: SeIncreaseQuotaPrivilege 1380 msiexec.exe Token: SeMachineAccountPrivilege 1380 msiexec.exe Token: SeTcbPrivilege 1380 msiexec.exe Token: SeSecurityPrivilege 1380 msiexec.exe Token: SeTakeOwnershipPrivilege 1380 msiexec.exe Token: SeLoadDriverPrivilege 1380 msiexec.exe Token: SeSystemProfilePrivilege 1380 msiexec.exe Token: SeSystemtimePrivilege 1380 msiexec.exe Token: SeProfSingleProcessPrivilege 1380 msiexec.exe Token: SeIncBasePriorityPrivilege 1380 msiexec.exe Token: SeCreatePagefilePrivilege 1380 msiexec.exe Token: SeCreatePermanentPrivilege 1380 msiexec.exe Token: SeBackupPrivilege 1380 msiexec.exe Token: SeRestorePrivilege 1380 msiexec.exe Token: SeShutdownPrivilege 1380 msiexec.exe Token: SeDebugPrivilege 1380 msiexec.exe Token: SeAuditPrivilege 1380 msiexec.exe Token: SeSystemEnvironmentPrivilege 1380 msiexec.exe Token: SeChangeNotifyPrivilege 1380 msiexec.exe Token: SeRemoteShutdownPrivilege 1380 msiexec.exe Token: SeUndockPrivilege 1380 msiexec.exe Token: SeSyncAgentPrivilege 1380 msiexec.exe Token: SeEnableDelegationPrivilege 1380 msiexec.exe Token: SeManageVolumePrivilege 1380 msiexec.exe Token: SeImpersonatePrivilege 1380 msiexec.exe Token: SeCreateGlobalPrivilege 1380 msiexec.exe Token: SeBackupPrivilege 1604 vssvc.exe Token: SeRestorePrivilege 1604 vssvc.exe Token: SeAuditPrivilege 1604 vssvc.exe Token: SeBackupPrivilege 972 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeRestorePrivilege 1992 DrvInst.exe Token: SeRestorePrivilege 1992 DrvInst.exe Token: SeRestorePrivilege 1992 DrvInst.exe Token: SeRestorePrivilege 1992 DrvInst.exe Token: SeRestorePrivilege 1992 DrvInst.exe Token: SeRestorePrivilege 1992 DrvInst.exe Token: SeRestorePrivilege 1992 DrvInst.exe Token: SeLoadDriverPrivilege 1992 DrvInst.exe Token: SeLoadDriverPrivilege 1992 DrvInst.exe Token: SeLoadDriverPrivilege 1992 DrvInst.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeTakeOwnershipPrivilege 972 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeTakeOwnershipPrivilege 972 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeTakeOwnershipPrivilege 972 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeTakeOwnershipPrivilege 972 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeTakeOwnershipPrivilege 972 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeTakeOwnershipPrivilege 972 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeTakeOwnershipPrivilege 972 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1380 msiexec.exe 1380 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 972 wrote to memory of 1928 972 msiexec.exe MsiExec.exe PID 972 wrote to memory of 1928 972 msiexec.exe MsiExec.exe PID 972 wrote to memory of 1928 972 msiexec.exe MsiExec.exe PID 972 wrote to memory of 1928 972 msiexec.exe MsiExec.exe PID 972 wrote to memory of 1928 972 msiexec.exe MsiExec.exe PID 1928 wrote to memory of 752 1928 MsiExec.exe rundll32.exe PID 1928 wrote to memory of 752 1928 MsiExec.exe rundll32.exe PID 1928 wrote to memory of 752 1928 MsiExec.exe rundll32.exe PID 752 wrote to memory of 1768 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 1768 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 1768 752 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7d35396b85f32777a8a70cbff172be4d037ec8609236d697a3ff4d0b76a8cdb4.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 22ADA00046B6C054A7A1E999F82452DB2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI8EC9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7114846 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp95FA.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000003B0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp95FA.dllFilesize
209KB
MD5a7796446412bb9dc9ba7100ad7100d7b
SHA19054b27ffa94b9eced264337d55a47036d0215e0
SHA2560ae0dbcf530a8f17dd69686d14f2878fd3470a8c0360e43a0a750208a82c209b
SHA512100592460c808efd97bc4e893de2983996f1404fdfbd099afbbcffbffcdf04f6e42aeef6fe21f49f86abc13abc2d7c72112d22a0f96233f0a5745d4f9bf8f269
-
C:\Windows\Installer\MSI8EC9.tmpFilesize
413KB
MD5100644bf96a8eddd003be537bcb66aae
SHA143b0060ef9ace188fc818ec303199a88838b48ee
SHA2569c5bcbc87763b33418af8b41caad79d46268e4a4c56aed339a189311fe787874
SHA512215191fe8a1f6068fc19f2e3f4947245a9e7820166245d7da2f405e04d0fe5cabca1895fd0d10b8024a065ddb99c310e90d341914435a1c66be8b4af4415b085
-
\Users\Admin\AppData\Local\Temp\tmp95FA.dllFilesize
209KB
MD5a7796446412bb9dc9ba7100ad7100d7b
SHA19054b27ffa94b9eced264337d55a47036d0215e0
SHA2560ae0dbcf530a8f17dd69686d14f2878fd3470a8c0360e43a0a750208a82c209b
SHA512100592460c808efd97bc4e893de2983996f1404fdfbd099afbbcffbffcdf04f6e42aeef6fe21f49f86abc13abc2d7c72112d22a0f96233f0a5745d4f9bf8f269
-
\Users\Admin\AppData\Local\Temp\tmp95FA.dllFilesize
209KB
MD5a7796446412bb9dc9ba7100ad7100d7b
SHA19054b27ffa94b9eced264337d55a47036d0215e0
SHA2560ae0dbcf530a8f17dd69686d14f2878fd3470a8c0360e43a0a750208a82c209b
SHA512100592460c808efd97bc4e893de2983996f1404fdfbd099afbbcffbffcdf04f6e42aeef6fe21f49f86abc13abc2d7c72112d22a0f96233f0a5745d4f9bf8f269
-
\Users\Admin\AppData\Local\Temp\tmp95FA.dllFilesize
209KB
MD5a7796446412bb9dc9ba7100ad7100d7b
SHA19054b27ffa94b9eced264337d55a47036d0215e0
SHA2560ae0dbcf530a8f17dd69686d14f2878fd3470a8c0360e43a0a750208a82c209b
SHA512100592460c808efd97bc4e893de2983996f1404fdfbd099afbbcffbffcdf04f6e42aeef6fe21f49f86abc13abc2d7c72112d22a0f96233f0a5745d4f9bf8f269
-
\Users\Admin\AppData\Local\Temp\tmp95FA.dllFilesize
209KB
MD5a7796446412bb9dc9ba7100ad7100d7b
SHA19054b27ffa94b9eced264337d55a47036d0215e0
SHA2560ae0dbcf530a8f17dd69686d14f2878fd3470a8c0360e43a0a750208a82c209b
SHA512100592460c808efd97bc4e893de2983996f1404fdfbd099afbbcffbffcdf04f6e42aeef6fe21f49f86abc13abc2d7c72112d22a0f96233f0a5745d4f9bf8f269
-
\Windows\Installer\MSI8EC9.tmpFilesize
413KB
MD5100644bf96a8eddd003be537bcb66aae
SHA143b0060ef9ace188fc818ec303199a88838b48ee
SHA2569c5bcbc87763b33418af8b41caad79d46268e4a4c56aed339a189311fe787874
SHA512215191fe8a1f6068fc19f2e3f4947245a9e7820166245d7da2f405e04d0fe5cabca1895fd0d10b8024a065ddb99c310e90d341914435a1c66be8b4af4415b085
-
\Windows\Installer\MSI8EC9.tmpFilesize
413KB
MD5100644bf96a8eddd003be537bcb66aae
SHA143b0060ef9ace188fc818ec303199a88838b48ee
SHA2569c5bcbc87763b33418af8b41caad79d46268e4a4c56aed339a189311fe787874
SHA512215191fe8a1f6068fc19f2e3f4947245a9e7820166245d7da2f405e04d0fe5cabca1895fd0d10b8024a065ddb99c310e90d341914435a1c66be8b4af4415b085
-
memory/752-60-0x0000000000000000-mapping.dmp
-
memory/752-64-0x0000000001E60000-0x0000000001ED0000-memory.dmpFilesize
448KB
-
memory/752-63-0x0000000001D60000-0x0000000001D6A000-memory.dmpFilesize
40KB
-
memory/752-62-0x0000000001D20000-0x0000000001D4E000-memory.dmpFilesize
184KB
-
memory/1380-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1768-66-0x0000000000000000-mapping.dmp
-
memory/1768-72-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1928-56-0x0000000000000000-mapping.dmp