Analysis
-
max time kernel
97s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
12-12-2022 17:19
Static task
static1
Behavioral task
behavioral1
Sample
build-064.msi
Resource
win7-20221111-en
General
-
Target
build-064.msi
-
Size
720KB
-
MD5
4b5e7a1fbd90cd678b8648ff34de5813
-
SHA1
efa480263a6d2bf167592b04bd64e0ebe5685318
-
SHA256
f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb
-
SHA512
f19664821059994e7e7f07dec13eb61a87ee1b138bb5344c14909bed8315cc27946414f47fbcd011a0a569203542114434fe9a5f9f02bacb101605459f4e4dde
-
SSDEEP
12288:/wHL0D7MkCPumy9chfA+tC8B0igC+/NHBT1SMut:YHL08/zyt+Q8BtZKBRSZ
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 2032 rundll32.exe 4 2032 rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 836 MsiExec.exe 1908 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
msiexec.exerundll32.exeDrvInst.exedescription ioc process File created C:\Windows\Installer\6c933c.msi msiexec.exe File opened for modification C:\Windows\Installer\6c933c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI938A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI938A.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI938A.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\6c933d.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA279.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI938A.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI938A.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\6c933f.msi msiexec.exe File opened for modification C:\Windows\Installer\6c933d.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exemsiexec.exepid process 2032 rundll32.exe 2032 rundll32.exe 1308 msiexec.exe 1308 msiexec.exe 2032 rundll32.exe 2032 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1756 msiexec.exe Token: SeIncreaseQuotaPrivilege 1756 msiexec.exe Token: SeRestorePrivilege 1308 msiexec.exe Token: SeTakeOwnershipPrivilege 1308 msiexec.exe Token: SeSecurityPrivilege 1308 msiexec.exe Token: SeCreateTokenPrivilege 1756 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1756 msiexec.exe Token: SeLockMemoryPrivilege 1756 msiexec.exe Token: SeIncreaseQuotaPrivilege 1756 msiexec.exe Token: SeMachineAccountPrivilege 1756 msiexec.exe Token: SeTcbPrivilege 1756 msiexec.exe Token: SeSecurityPrivilege 1756 msiexec.exe Token: SeTakeOwnershipPrivilege 1756 msiexec.exe Token: SeLoadDriverPrivilege 1756 msiexec.exe Token: SeSystemProfilePrivilege 1756 msiexec.exe Token: SeSystemtimePrivilege 1756 msiexec.exe Token: SeProfSingleProcessPrivilege 1756 msiexec.exe Token: SeIncBasePriorityPrivilege 1756 msiexec.exe Token: SeCreatePagefilePrivilege 1756 msiexec.exe Token: SeCreatePermanentPrivilege 1756 msiexec.exe Token: SeBackupPrivilege 1756 msiexec.exe Token: SeRestorePrivilege 1756 msiexec.exe Token: SeShutdownPrivilege 1756 msiexec.exe Token: SeDebugPrivilege 1756 msiexec.exe Token: SeAuditPrivilege 1756 msiexec.exe Token: SeSystemEnvironmentPrivilege 1756 msiexec.exe Token: SeChangeNotifyPrivilege 1756 msiexec.exe Token: SeRemoteShutdownPrivilege 1756 msiexec.exe Token: SeUndockPrivilege 1756 msiexec.exe Token: SeSyncAgentPrivilege 1756 msiexec.exe Token: SeEnableDelegationPrivilege 1756 msiexec.exe Token: SeManageVolumePrivilege 1756 msiexec.exe Token: SeImpersonatePrivilege 1756 msiexec.exe Token: SeCreateGlobalPrivilege 1756 msiexec.exe Token: SeBackupPrivilege 568 vssvc.exe Token: SeRestorePrivilege 568 vssvc.exe Token: SeAuditPrivilege 568 vssvc.exe Token: SeBackupPrivilege 1308 msiexec.exe Token: SeRestorePrivilege 1308 msiexec.exe Token: SeRestorePrivilege 1300 DrvInst.exe Token: SeRestorePrivilege 1300 DrvInst.exe Token: SeRestorePrivilege 1300 DrvInst.exe Token: SeRestorePrivilege 1300 DrvInst.exe Token: SeRestorePrivilege 1300 DrvInst.exe Token: SeRestorePrivilege 1300 DrvInst.exe Token: SeRestorePrivilege 1300 DrvInst.exe Token: SeLoadDriverPrivilege 1300 DrvInst.exe Token: SeLoadDriverPrivilege 1300 DrvInst.exe Token: SeLoadDriverPrivilege 1300 DrvInst.exe Token: SeRestorePrivilege 1308 msiexec.exe Token: SeTakeOwnershipPrivilege 1308 msiexec.exe Token: SeRestorePrivilege 1308 msiexec.exe Token: SeTakeOwnershipPrivilege 1308 msiexec.exe Token: SeRestorePrivilege 1308 msiexec.exe Token: SeTakeOwnershipPrivilege 1308 msiexec.exe Token: SeRestorePrivilege 1308 msiexec.exe Token: SeTakeOwnershipPrivilege 1308 msiexec.exe Token: SeRestorePrivilege 1308 msiexec.exe Token: SeTakeOwnershipPrivilege 1308 msiexec.exe Token: SeRestorePrivilege 1308 msiexec.exe Token: SeTakeOwnershipPrivilege 1308 msiexec.exe Token: SeRestorePrivilege 1308 msiexec.exe Token: SeTakeOwnershipPrivilege 1308 msiexec.exe Token: SeRestorePrivilege 1308 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1756 msiexec.exe 1756 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1308 wrote to memory of 836 1308 msiexec.exe MsiExec.exe PID 1308 wrote to memory of 836 1308 msiexec.exe MsiExec.exe PID 1308 wrote to memory of 836 1308 msiexec.exe MsiExec.exe PID 1308 wrote to memory of 836 1308 msiexec.exe MsiExec.exe PID 1308 wrote to memory of 836 1308 msiexec.exe MsiExec.exe PID 836 wrote to memory of 1908 836 MsiExec.exe rundll32.exe PID 836 wrote to memory of 1908 836 MsiExec.exe rundll32.exe PID 836 wrote to memory of 1908 836 MsiExec.exe rundll32.exe PID 1908 wrote to memory of 2032 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 2032 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 2032 1908 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-064.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 4DDBC7B185248618CF315632BB527DC02⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI938A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7115907 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9B08.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "0000000000000314"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9B08.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
C:\Windows\Installer\MSI938A.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
\Users\Admin\AppData\Local\Temp\tmp9B08.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
\Users\Admin\AppData\Local\Temp\tmp9B08.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
\Users\Admin\AppData\Local\Temp\tmp9B08.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
\Users\Admin\AppData\Local\Temp\tmp9B08.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
\Windows\Installer\MSI938A.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
\Windows\Installer\MSI938A.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
memory/836-56-0x0000000000000000-mapping.dmp
-
memory/1756-54-0x000007FEFC181000-0x000007FEFC183000-memory.dmpFilesize
8KB
-
memory/1908-60-0x0000000000000000-mapping.dmp
-
memory/1908-64-0x0000000002090000-0x0000000002100000-memory.dmpFilesize
448KB
-
memory/1908-63-0x0000000001C00000-0x0000000001C0A000-memory.dmpFilesize
40KB
-
memory/1908-62-0x0000000001B30000-0x0000000001B5E000-memory.dmpFilesize
184KB
-
memory/2032-66-0x0000000000000000-mapping.dmp
-
memory/2032-72-0x00000000001A0000-0x00000000001A9000-memory.dmpFilesize
36KB