Analysis
-
max time kernel
103s -
max time network
110s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 18:33
Static task
static1
Behavioral task
behavioral1
Sample
Document_07-12-2022_20-09-12_PDF.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Document_07-12-2022_20-09-12_PDF.msi
Resource
win10v2004-20220901-en
General
-
Target
Document_07-12-2022_20-09-12_PDF.msi
-
Size
1.2MB
-
MD5
8b0c350a9acf409690db50979fa8628e
-
SHA1
fa2bc04d301093a448d78560f86ad9b60930027d
-
SHA256
99dfb7baafec050861e152a036af86fc0c7663f3c719d58a56dfd9f06f4b8cef
-
SHA512
01a685fb5a461261baaa15188565ca816712fe3b86a9776cc3b0941c4031a59b324d647446f88e0485d1b5ae60214bb35798341b24cc486fdc758cfec89d5bfc
-
SSDEEP
24576:wHL0tNrx5zH8h2q1ioC7ZTVVT+XirpTs7sx0QBnoNjla+idlpdIFyF3N0:wr0tNrxeB1BG/F+uTsAx0tlpidvdkyFC
Malware Config
Extracted
icedid
1234857371
ewgahskoot.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 1752 rundll32.exe 4 1752 rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1528 MsiExec.exe 1624 rundll32.exe 1752 rundll32.exe 1752 rundll32.exe 1752 rundll32.exe 1752 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
DrvInst.exemsiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSIA4D9.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c9272.ipi msiexec.exe File created C:\Windows\Installer\6c9271.msi msiexec.exe File opened for modification C:\Windows\Installer\6c9271.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI931C.tmp-\test.cs.dll rundll32.exe File created C:\Windows\Installer\6c9274.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI931C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI931C.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI931C.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI931C.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\6c9272.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 2028 msiexec.exe 2028 msiexec.exe 1752 rundll32.exe 1752 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1128 msiexec.exe Token: SeIncreaseQuotaPrivilege 1128 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeSecurityPrivilege 2028 msiexec.exe Token: SeCreateTokenPrivilege 1128 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1128 msiexec.exe Token: SeLockMemoryPrivilege 1128 msiexec.exe Token: SeIncreaseQuotaPrivilege 1128 msiexec.exe Token: SeMachineAccountPrivilege 1128 msiexec.exe Token: SeTcbPrivilege 1128 msiexec.exe Token: SeSecurityPrivilege 1128 msiexec.exe Token: SeTakeOwnershipPrivilege 1128 msiexec.exe Token: SeLoadDriverPrivilege 1128 msiexec.exe Token: SeSystemProfilePrivilege 1128 msiexec.exe Token: SeSystemtimePrivilege 1128 msiexec.exe Token: SeProfSingleProcessPrivilege 1128 msiexec.exe Token: SeIncBasePriorityPrivilege 1128 msiexec.exe Token: SeCreatePagefilePrivilege 1128 msiexec.exe Token: SeCreatePermanentPrivilege 1128 msiexec.exe Token: SeBackupPrivilege 1128 msiexec.exe Token: SeRestorePrivilege 1128 msiexec.exe Token: SeShutdownPrivilege 1128 msiexec.exe Token: SeDebugPrivilege 1128 msiexec.exe Token: SeAuditPrivilege 1128 msiexec.exe Token: SeSystemEnvironmentPrivilege 1128 msiexec.exe Token: SeChangeNotifyPrivilege 1128 msiexec.exe Token: SeRemoteShutdownPrivilege 1128 msiexec.exe Token: SeUndockPrivilege 1128 msiexec.exe Token: SeSyncAgentPrivilege 1128 msiexec.exe Token: SeEnableDelegationPrivilege 1128 msiexec.exe Token: SeManageVolumePrivilege 1128 msiexec.exe Token: SeImpersonatePrivilege 1128 msiexec.exe Token: SeCreateGlobalPrivilege 1128 msiexec.exe Token: SeBackupPrivilege 1240 vssvc.exe Token: SeRestorePrivilege 1240 vssvc.exe Token: SeAuditPrivilege 1240 vssvc.exe Token: SeBackupPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeRestorePrivilege 692 DrvInst.exe Token: SeRestorePrivilege 692 DrvInst.exe Token: SeRestorePrivilege 692 DrvInst.exe Token: SeRestorePrivilege 692 DrvInst.exe Token: SeRestorePrivilege 692 DrvInst.exe Token: SeRestorePrivilege 692 DrvInst.exe Token: SeRestorePrivilege 692 DrvInst.exe Token: SeLoadDriverPrivilege 692 DrvInst.exe Token: SeLoadDriverPrivilege 692 DrvInst.exe Token: SeLoadDriverPrivilege 692 DrvInst.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1128 msiexec.exe 1128 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 2028 wrote to memory of 1528 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 1528 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 1528 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 1528 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 1528 2028 msiexec.exe MsiExec.exe PID 1528 wrote to memory of 1624 1528 MsiExec.exe rundll32.exe PID 1528 wrote to memory of 1624 1528 MsiExec.exe rundll32.exe PID 1528 wrote to memory of 1624 1528 MsiExec.exe rundll32.exe PID 1624 wrote to memory of 1752 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1752 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1752 1624 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Document_07-12-2022_20-09-12_PDF.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 8685A852AD8112D029BB566EE9C139052⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI931C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7115970 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9A9B.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "0000000000000574"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9A9B.dllFilesize
821KB
MD578bb5b0c9f7e2d5cabf36deee8941d80
SHA1c988e68e09364ffbfaafc5036ae98b91144b3aa2
SHA256b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc
SHA5125c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b
-
C:\Windows\Installer\MSI931C.tmpFilesize
413KB
MD5c3b8eb5198620adf3d33b703c40bcfa1
SHA1acc7e2cbcff2746762f793360b34d7aabcec116a
SHA256bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e
SHA5122255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd
-
\Users\Admin\AppData\Local\Temp\tmp9A9B.dllFilesize
821KB
MD578bb5b0c9f7e2d5cabf36deee8941d80
SHA1c988e68e09364ffbfaafc5036ae98b91144b3aa2
SHA256b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc
SHA5125c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b
-
\Users\Admin\AppData\Local\Temp\tmp9A9B.dllFilesize
821KB
MD578bb5b0c9f7e2d5cabf36deee8941d80
SHA1c988e68e09364ffbfaafc5036ae98b91144b3aa2
SHA256b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc
SHA5125c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b
-
\Users\Admin\AppData\Local\Temp\tmp9A9B.dllFilesize
821KB
MD578bb5b0c9f7e2d5cabf36deee8941d80
SHA1c988e68e09364ffbfaafc5036ae98b91144b3aa2
SHA256b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc
SHA5125c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b
-
\Users\Admin\AppData\Local\Temp\tmp9A9B.dllFilesize
821KB
MD578bb5b0c9f7e2d5cabf36deee8941d80
SHA1c988e68e09364ffbfaafc5036ae98b91144b3aa2
SHA256b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc
SHA5125c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b
-
\Windows\Installer\MSI931C.tmpFilesize
413KB
MD5c3b8eb5198620adf3d33b703c40bcfa1
SHA1acc7e2cbcff2746762f793360b34d7aabcec116a
SHA256bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e
SHA5122255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd
-
\Windows\Installer\MSI931C.tmpFilesize
413KB
MD5c3b8eb5198620adf3d33b703c40bcfa1
SHA1acc7e2cbcff2746762f793360b34d7aabcec116a
SHA256bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e
SHA5122255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd
-
memory/1128-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmpFilesize
8KB
-
memory/1528-56-0x0000000000000000-mapping.dmp
-
memory/1624-60-0x0000000000000000-mapping.dmp
-
memory/1624-64-0x0000000001EA0000-0x0000000001F10000-memory.dmpFilesize
448KB
-
memory/1624-63-0x00000000001D0000-0x00000000001DA000-memory.dmpFilesize
40KB
-
memory/1624-62-0x0000000000180000-0x00000000001AE000-memory.dmpFilesize
184KB
-
memory/1752-66-0x0000000000000000-mapping.dmp
-
memory/1752-72-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB