Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-12-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_13-12-2022_17-31-38.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Setup_Win_13-12-2022_17-31-38.msi
Resource
win10v2004-20220812-en
General
-
Target
Setup_Win_13-12-2022_17-31-38.msi
-
Size
1.4MB
-
MD5
8b5b12a30a087fbba3b14665a8951b1d
-
SHA1
b4cb2e10c0d4144f662d70f1635f31037f6db8c8
-
SHA256
75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67
-
SHA512
93465a3fa6874f5bc51a1442b724bdfa5d8af576211506c55dd4af02e3d5dacd7004f84ddd835e609bdf3cd119edfee6666507bacee3e799f9e12179bbfbc08e
-
SSDEEP
24576:BHL0lPEJnFbMyawb8e1e96Pef7k0bNRjpB4dPURad+J:Br0yJKyaC/BPg1Rad+
Malware Config
Extracted
icedid
1010550214
estrabornhot.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 2000 rundll32.exe 4 2000 rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1400 MsiExec.exe 1740 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
DrvInst.exemsiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\6c4ead.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4F3A.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c4eae.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c4ead.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4F3A.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI4F3A.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\6c4eb0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4F3A.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI4F3A.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\6c4eae.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI6135.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 892 msiexec.exe 892 msiexec.exe 2000 rundll32.exe 2000 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1652 msiexec.exe Token: SeIncreaseQuotaPrivilege 1652 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeSecurityPrivilege 892 msiexec.exe Token: SeCreateTokenPrivilege 1652 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1652 msiexec.exe Token: SeLockMemoryPrivilege 1652 msiexec.exe Token: SeIncreaseQuotaPrivilege 1652 msiexec.exe Token: SeMachineAccountPrivilege 1652 msiexec.exe Token: SeTcbPrivilege 1652 msiexec.exe Token: SeSecurityPrivilege 1652 msiexec.exe Token: SeTakeOwnershipPrivilege 1652 msiexec.exe Token: SeLoadDriverPrivilege 1652 msiexec.exe Token: SeSystemProfilePrivilege 1652 msiexec.exe Token: SeSystemtimePrivilege 1652 msiexec.exe Token: SeProfSingleProcessPrivilege 1652 msiexec.exe Token: SeIncBasePriorityPrivilege 1652 msiexec.exe Token: SeCreatePagefilePrivilege 1652 msiexec.exe Token: SeCreatePermanentPrivilege 1652 msiexec.exe Token: SeBackupPrivilege 1652 msiexec.exe Token: SeRestorePrivilege 1652 msiexec.exe Token: SeShutdownPrivilege 1652 msiexec.exe Token: SeDebugPrivilege 1652 msiexec.exe Token: SeAuditPrivilege 1652 msiexec.exe Token: SeSystemEnvironmentPrivilege 1652 msiexec.exe Token: SeChangeNotifyPrivilege 1652 msiexec.exe Token: SeRemoteShutdownPrivilege 1652 msiexec.exe Token: SeUndockPrivilege 1652 msiexec.exe Token: SeSyncAgentPrivilege 1652 msiexec.exe Token: SeEnableDelegationPrivilege 1652 msiexec.exe Token: SeManageVolumePrivilege 1652 msiexec.exe Token: SeImpersonatePrivilege 1652 msiexec.exe Token: SeCreateGlobalPrivilege 1652 msiexec.exe Token: SeBackupPrivilege 1736 vssvc.exe Token: SeRestorePrivilege 1736 vssvc.exe Token: SeAuditPrivilege 1736 vssvc.exe Token: SeBackupPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeRestorePrivilege 776 DrvInst.exe Token: SeRestorePrivilege 776 DrvInst.exe Token: SeRestorePrivilege 776 DrvInst.exe Token: SeRestorePrivilege 776 DrvInst.exe Token: SeRestorePrivilege 776 DrvInst.exe Token: SeRestorePrivilege 776 DrvInst.exe Token: SeRestorePrivilege 776 DrvInst.exe Token: SeLoadDriverPrivilege 776 DrvInst.exe Token: SeLoadDriverPrivilege 776 DrvInst.exe Token: SeLoadDriverPrivilege 776 DrvInst.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1652 msiexec.exe 1652 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 892 wrote to memory of 1400 892 msiexec.exe MsiExec.exe PID 892 wrote to memory of 1400 892 msiexec.exe MsiExec.exe PID 892 wrote to memory of 1400 892 msiexec.exe MsiExec.exe PID 892 wrote to memory of 1400 892 msiexec.exe MsiExec.exe PID 892 wrote to memory of 1400 892 msiexec.exe MsiExec.exe PID 1400 wrote to memory of 1740 1400 MsiExec.exe rundll32.exe PID 1400 wrote to memory of 1740 1400 MsiExec.exe rundll32.exe PID 1400 wrote to memory of 1740 1400 MsiExec.exe rundll32.exe PID 1740 wrote to memory of 2000 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 2000 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 2000 1740 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_13-12-2022_17-31-38.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding A8C0DC275E246332DFD0152053DC41B62⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI4F3A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7098341 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp561D.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A8" "00000000000003D4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp561D.dllFilesize
970KB
MD56a058edb49674a880e176765872419d8
SHA1f44ae6593971176b6fe30b481c923bcb85b84b9f
SHA256b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8
SHA512c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b
-
C:\Windows\Installer\MSI4F3A.tmpFilesize
413KB
MD5859c238b1aa6bbcdaaabe3e5d7f1dad6
SHA12a8c17ec585a39f6eba3207a08f865f2ef3c47bd
SHA256d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae
SHA51295c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7
-
\Users\Admin\AppData\Local\Temp\tmp561D.dllFilesize
970KB
MD56a058edb49674a880e176765872419d8
SHA1f44ae6593971176b6fe30b481c923bcb85b84b9f
SHA256b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8
SHA512c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b
-
\Users\Admin\AppData\Local\Temp\tmp561D.dllFilesize
970KB
MD56a058edb49674a880e176765872419d8
SHA1f44ae6593971176b6fe30b481c923bcb85b84b9f
SHA256b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8
SHA512c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b
-
\Users\Admin\AppData\Local\Temp\tmp561D.dllFilesize
970KB
MD56a058edb49674a880e176765872419d8
SHA1f44ae6593971176b6fe30b481c923bcb85b84b9f
SHA256b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8
SHA512c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b
-
\Users\Admin\AppData\Local\Temp\tmp561D.dllFilesize
970KB
MD56a058edb49674a880e176765872419d8
SHA1f44ae6593971176b6fe30b481c923bcb85b84b9f
SHA256b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8
SHA512c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b
-
\Windows\Installer\MSI4F3A.tmpFilesize
413KB
MD5859c238b1aa6bbcdaaabe3e5d7f1dad6
SHA12a8c17ec585a39f6eba3207a08f865f2ef3c47bd
SHA256d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae
SHA51295c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7
-
\Windows\Installer\MSI4F3A.tmpFilesize
413KB
MD5859c238b1aa6bbcdaaabe3e5d7f1dad6
SHA12a8c17ec585a39f6eba3207a08f865f2ef3c47bd
SHA256d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae
SHA51295c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7
-
memory/1400-56-0x0000000000000000-mapping.dmp
-
memory/1652-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmpFilesize
8KB
-
memory/1740-60-0x0000000000000000-mapping.dmp
-
memory/1740-64-0x0000000002110000-0x0000000002180000-memory.dmpFilesize
448KB
-
memory/1740-63-0x0000000000210000-0x000000000021A000-memory.dmpFilesize
40KB
-
memory/1740-62-0x0000000000520000-0x000000000054E000-memory.dmpFilesize
184KB
-
memory/2000-66-0x0000000000000000-mapping.dmp
-
memory/2000-72-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB