Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
12-12-2022 17:27
Static task
static1
Behavioral task
behavioral1
Sample
build-064.msi
Resource
win7-20221111-en
General
-
Target
build-064.msi
-
Size
720KB
-
MD5
4b5e7a1fbd90cd678b8648ff34de5813
-
SHA1
efa480263a6d2bf167592b04bd64e0ebe5685318
-
SHA256
f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb
-
SHA512
f19664821059994e7e7f07dec13eb61a87ee1b138bb5344c14909bed8315cc27946414f47fbcd011a0a569203542114434fe9a5f9f02bacb101605459f4e4dde
-
SSDEEP
12288:/wHL0D7MkCPumy9chfA+tC8B0igC+/NHBT1SMut:YHL08/zyt+Q8BtZKBRSZ
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1352 rundll32.exe 4 1352 rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 680 MsiExec.exe 1480 rundll32.exe 1352 rundll32.exe 1352 rundll32.exe 1352 rundll32.exe 1352 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
msiexec.exerundll32.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\MSI87B8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI67E8.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI67E8.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\6c675b.msi msiexec.exe File opened for modification C:\Windows\Installer\6c675c.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\6c675b.msi msiexec.exe File created C:\Windows\Installer\6c675c.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\6c675e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI67E8.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI67E8.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI67E8.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exemsiexec.exepid process 1352 rundll32.exe 1352 rundll32.exe 1676 msiexec.exe 1676 msiexec.exe 1352 rundll32.exe 1352 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1780 msiexec.exe Token: SeIncreaseQuotaPrivilege 1780 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeTakeOwnershipPrivilege 1676 msiexec.exe Token: SeSecurityPrivilege 1676 msiexec.exe Token: SeCreateTokenPrivilege 1780 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1780 msiexec.exe Token: SeLockMemoryPrivilege 1780 msiexec.exe Token: SeIncreaseQuotaPrivilege 1780 msiexec.exe Token: SeMachineAccountPrivilege 1780 msiexec.exe Token: SeTcbPrivilege 1780 msiexec.exe Token: SeSecurityPrivilege 1780 msiexec.exe Token: SeTakeOwnershipPrivilege 1780 msiexec.exe Token: SeLoadDriverPrivilege 1780 msiexec.exe Token: SeSystemProfilePrivilege 1780 msiexec.exe Token: SeSystemtimePrivilege 1780 msiexec.exe Token: SeProfSingleProcessPrivilege 1780 msiexec.exe Token: SeIncBasePriorityPrivilege 1780 msiexec.exe Token: SeCreatePagefilePrivilege 1780 msiexec.exe Token: SeCreatePermanentPrivilege 1780 msiexec.exe Token: SeBackupPrivilege 1780 msiexec.exe Token: SeRestorePrivilege 1780 msiexec.exe Token: SeShutdownPrivilege 1780 msiexec.exe Token: SeDebugPrivilege 1780 msiexec.exe Token: SeAuditPrivilege 1780 msiexec.exe Token: SeSystemEnvironmentPrivilege 1780 msiexec.exe Token: SeChangeNotifyPrivilege 1780 msiexec.exe Token: SeRemoteShutdownPrivilege 1780 msiexec.exe Token: SeUndockPrivilege 1780 msiexec.exe Token: SeSyncAgentPrivilege 1780 msiexec.exe Token: SeEnableDelegationPrivilege 1780 msiexec.exe Token: SeManageVolumePrivilege 1780 msiexec.exe Token: SeImpersonatePrivilege 1780 msiexec.exe Token: SeCreateGlobalPrivilege 1780 msiexec.exe Token: SeBackupPrivilege 544 vssvc.exe Token: SeRestorePrivilege 544 vssvc.exe Token: SeAuditPrivilege 544 vssvc.exe Token: SeBackupPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1664 DrvInst.exe Token: SeRestorePrivilege 1664 DrvInst.exe Token: SeRestorePrivilege 1664 DrvInst.exe Token: SeRestorePrivilege 1664 DrvInst.exe Token: SeRestorePrivilege 1664 DrvInst.exe Token: SeRestorePrivilege 1664 DrvInst.exe Token: SeRestorePrivilege 1664 DrvInst.exe Token: SeLoadDriverPrivilege 1664 DrvInst.exe Token: SeLoadDriverPrivilege 1664 DrvInst.exe Token: SeLoadDriverPrivilege 1664 DrvInst.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeTakeOwnershipPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeTakeOwnershipPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeTakeOwnershipPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeTakeOwnershipPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeTakeOwnershipPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeTakeOwnershipPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeTakeOwnershipPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1780 msiexec.exe 1780 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1676 wrote to memory of 680 1676 msiexec.exe MsiExec.exe PID 1676 wrote to memory of 680 1676 msiexec.exe MsiExec.exe PID 1676 wrote to memory of 680 1676 msiexec.exe MsiExec.exe PID 1676 wrote to memory of 680 1676 msiexec.exe MsiExec.exe PID 1676 wrote to memory of 680 1676 msiexec.exe MsiExec.exe PID 680 wrote to memory of 1480 680 MsiExec.exe rundll32.exe PID 680 wrote to memory of 1480 680 MsiExec.exe rundll32.exe PID 680 wrote to memory of 1480 680 MsiExec.exe rundll32.exe PID 1480 wrote to memory of 1352 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 1352 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 1352 1480 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-064.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 1BC7B6DCDF0054DBA82722B2F0DEAA9F2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI67E8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7104769 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp7DE7.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000039C" "00000000000005AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7DE7.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
C:\Windows\Installer\MSI67E8.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
\Users\Admin\AppData\Local\Temp\tmp7DE7.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
\Users\Admin\AppData\Local\Temp\tmp7DE7.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
\Users\Admin\AppData\Local\Temp\tmp7DE7.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
\Users\Admin\AppData\Local\Temp\tmp7DE7.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
\Windows\Installer\MSI67E8.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
\Windows\Installer\MSI67E8.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
memory/680-56-0x0000000000000000-mapping.dmp
-
memory/1352-72-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/1352-66-0x0000000000000000-mapping.dmp
-
memory/1480-60-0x0000000000000000-mapping.dmp
-
memory/1480-64-0x000000001A270000-0x000000001A2E0000-memory.dmpFilesize
448KB
-
memory/1480-63-0x0000000001F50000-0x0000000001F5A000-memory.dmpFilesize
40KB
-
memory/1480-62-0x0000000001F00000-0x0000000001F2E000-memory.dmpFilesize
184KB
-
memory/1780-54-0x000007FEFB641000-0x000007FEFB643000-memory.dmpFilesize
8KB