Analysis
-
max time kernel
94s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
14-12-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
soon_even.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
soon_even.msi
Resource
win10v2004-20221111-en
General
-
Target
soon_even.msi
-
Size
1.4MB
-
MD5
e97dda068d2b38835208a41cadad4740
-
SHA1
67adf8ec8479b8132f7a999f7d7556481d584208
-
SHA256
ebd022c7fed376881b90383028b0a6b18bc68f068cab5b4dadc57690612952e7
-
SHA512
8da4eff36676d8ed7cf13c0da0a853e19d54eaeb3c3d3ee4cb7945e1db4582fbb879838f91660a6a53f88ac29c12c633e88d713a92152d8116ea3fe6ee0ff634
-
SSDEEP
24576:nHL0HPEJnFbMyaPb8e1e96Pef7k0bNRjpB4dPURaZ:nr0MJKyaT/BPg1RaZ
Malware Config
Extracted
icedid
3407323965
estrabornhot.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 1940 rundll32.exe 4 1940 rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1528 MsiExec.exe 1736 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
rundll32.exemsiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\MSI5C54.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\6c5bca.msi msiexec.exe File opened for modification C:\Windows\Installer\6c5bc8.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI5C54.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\6c5bc8.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI5C54.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5C54.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI5C54.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6B52.tmp msiexec.exe File created C:\Windows\Installer\6c5bc7.msi msiexec.exe File opened for modification C:\Windows\Installer\6c5bc7.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 556 msiexec.exe 556 msiexec.exe 1940 rundll32.exe 1940 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1720 msiexec.exe Token: SeIncreaseQuotaPrivilege 1720 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeSecurityPrivilege 556 msiexec.exe Token: SeCreateTokenPrivilege 1720 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1720 msiexec.exe Token: SeLockMemoryPrivilege 1720 msiexec.exe Token: SeIncreaseQuotaPrivilege 1720 msiexec.exe Token: SeMachineAccountPrivilege 1720 msiexec.exe Token: SeTcbPrivilege 1720 msiexec.exe Token: SeSecurityPrivilege 1720 msiexec.exe Token: SeTakeOwnershipPrivilege 1720 msiexec.exe Token: SeLoadDriverPrivilege 1720 msiexec.exe Token: SeSystemProfilePrivilege 1720 msiexec.exe Token: SeSystemtimePrivilege 1720 msiexec.exe Token: SeProfSingleProcessPrivilege 1720 msiexec.exe Token: SeIncBasePriorityPrivilege 1720 msiexec.exe Token: SeCreatePagefilePrivilege 1720 msiexec.exe Token: SeCreatePermanentPrivilege 1720 msiexec.exe Token: SeBackupPrivilege 1720 msiexec.exe Token: SeRestorePrivilege 1720 msiexec.exe Token: SeShutdownPrivilege 1720 msiexec.exe Token: SeDebugPrivilege 1720 msiexec.exe Token: SeAuditPrivilege 1720 msiexec.exe Token: SeSystemEnvironmentPrivilege 1720 msiexec.exe Token: SeChangeNotifyPrivilege 1720 msiexec.exe Token: SeRemoteShutdownPrivilege 1720 msiexec.exe Token: SeUndockPrivilege 1720 msiexec.exe Token: SeSyncAgentPrivilege 1720 msiexec.exe Token: SeEnableDelegationPrivilege 1720 msiexec.exe Token: SeManageVolumePrivilege 1720 msiexec.exe Token: SeImpersonatePrivilege 1720 msiexec.exe Token: SeCreateGlobalPrivilege 1720 msiexec.exe Token: SeBackupPrivilege 544 vssvc.exe Token: SeRestorePrivilege 544 vssvc.exe Token: SeAuditPrivilege 544 vssvc.exe Token: SeBackupPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeRestorePrivilege 1620 DrvInst.exe Token: SeRestorePrivilege 1620 DrvInst.exe Token: SeRestorePrivilege 1620 DrvInst.exe Token: SeRestorePrivilege 1620 DrvInst.exe Token: SeRestorePrivilege 1620 DrvInst.exe Token: SeRestorePrivilege 1620 DrvInst.exe Token: SeRestorePrivilege 1620 DrvInst.exe Token: SeLoadDriverPrivilege 1620 DrvInst.exe Token: SeLoadDriverPrivilege 1620 DrvInst.exe Token: SeLoadDriverPrivilege 1620 DrvInst.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1720 msiexec.exe 1720 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 556 wrote to memory of 1528 556 msiexec.exe MsiExec.exe PID 556 wrote to memory of 1528 556 msiexec.exe MsiExec.exe PID 556 wrote to memory of 1528 556 msiexec.exe MsiExec.exe PID 556 wrote to memory of 1528 556 msiexec.exe MsiExec.exe PID 556 wrote to memory of 1528 556 msiexec.exe MsiExec.exe PID 1528 wrote to memory of 1736 1528 MsiExec.exe rundll32.exe PID 1528 wrote to memory of 1736 1528 MsiExec.exe rundll32.exe PID 1528 wrote to memory of 1736 1528 MsiExec.exe rundll32.exe PID 1736 wrote to memory of 1940 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 1940 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 1940 1736 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\soon_even.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 8C857A0E478E34CF4DD0A531565E05F82⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5C54.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7101867 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp629B.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C8" "00000000000003C4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp629B.dllFilesize
970KB
MD52890e5f0cfc6002f91d3c6fe864fd13b
SHA1571bf0539400fcd6f803b10be2fa86782110fd2d
SHA25668a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee
SHA512157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883
-
C:\Windows\Installer\MSI5C54.tmpFilesize
413KB
MD5146e479aafa7af37336def7997189975
SHA196481247f7addef1c67b700a87a0815cc5318bfa
SHA256763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd
SHA512a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba
-
\Users\Admin\AppData\Local\Temp\tmp629B.dllFilesize
970KB
MD52890e5f0cfc6002f91d3c6fe864fd13b
SHA1571bf0539400fcd6f803b10be2fa86782110fd2d
SHA25668a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee
SHA512157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883
-
\Users\Admin\AppData\Local\Temp\tmp629B.dllFilesize
970KB
MD52890e5f0cfc6002f91d3c6fe864fd13b
SHA1571bf0539400fcd6f803b10be2fa86782110fd2d
SHA25668a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee
SHA512157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883
-
\Users\Admin\AppData\Local\Temp\tmp629B.dllFilesize
970KB
MD52890e5f0cfc6002f91d3c6fe864fd13b
SHA1571bf0539400fcd6f803b10be2fa86782110fd2d
SHA25668a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee
SHA512157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883
-
\Users\Admin\AppData\Local\Temp\tmp629B.dllFilesize
970KB
MD52890e5f0cfc6002f91d3c6fe864fd13b
SHA1571bf0539400fcd6f803b10be2fa86782110fd2d
SHA25668a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee
SHA512157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883
-
\Windows\Installer\MSI5C54.tmpFilesize
413KB
MD5146e479aafa7af37336def7997189975
SHA196481247f7addef1c67b700a87a0815cc5318bfa
SHA256763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd
SHA512a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba
-
\Windows\Installer\MSI5C54.tmpFilesize
413KB
MD5146e479aafa7af37336def7997189975
SHA196481247f7addef1c67b700a87a0815cc5318bfa
SHA256763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd
SHA512a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba
-
memory/1528-56-0x0000000000000000-mapping.dmp
-
memory/1720-54-0x000007FEFC011000-0x000007FEFC013000-memory.dmpFilesize
8KB
-
memory/1736-64-0x0000000001F80000-0x0000000001FF0000-memory.dmpFilesize
448KB
-
memory/1736-63-0x0000000001D40000-0x0000000001D4A000-memory.dmpFilesize
40KB
-
memory/1736-62-0x0000000001D10000-0x0000000001D3E000-memory.dmpFilesize
184KB
-
memory/1736-60-0x0000000000000000-mapping.dmp
-
memory/1940-66-0x0000000000000000-mapping.dmp
-
memory/1940-72-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB