Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-12-2022 16:12
Static task
static1
Behavioral task
behavioral1
Sample
range_their.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
range_their.msi
Resource
win10v2004-20220812-en
General
-
Target
range_their.msi
-
Size
1.4MB
-
MD5
05b0f6ddd315e85d95038ade3d48f28a
-
SHA1
cb9aa99c2744b4fd1b755c9a3858df869645c24f
-
SHA256
4d47ae858358361c1620d6f0d083946944cffb4165ecc620522e6156d9009607
-
SHA512
44d1b19c4c5badb00622025e2426cb58ed2a084834ec3a3e49cefc7f64ce13dc9637e073af506faecc38eaa9a35c1b3886c3f87f08d41af4833771cdc4d8925b
-
SSDEEP
24576:wHL0kPEJnFbMyaRb8e1e96Pef7k0bNRjpB4dPURaH:wr0PJKyah/BPg1RaH
Malware Config
Extracted
icedid
3407323965
estrabornhot.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 788 rundll32.exe 4 788 rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1872 MsiExec.exe 2012 rundll32.exe 788 rundll32.exe 788 rundll32.exe 788 rundll32.exe 788 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
DrvInst.exerundll32.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI59C5.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI59C5.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI59C5.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\6c592a.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI6A3A.tmp msiexec.exe File created C:\Windows\Installer\6c5929.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI59C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI59C5.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\6c592c.msi msiexec.exe File opened for modification C:\Windows\Installer\6c592a.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\6c5929.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 1936 msiexec.exe 1936 msiexec.exe 788 rundll32.exe 788 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 752 msiexec.exe Token: SeIncreaseQuotaPrivilege 752 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeSecurityPrivilege 1936 msiexec.exe Token: SeCreateTokenPrivilege 752 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 752 msiexec.exe Token: SeLockMemoryPrivilege 752 msiexec.exe Token: SeIncreaseQuotaPrivilege 752 msiexec.exe Token: SeMachineAccountPrivilege 752 msiexec.exe Token: SeTcbPrivilege 752 msiexec.exe Token: SeSecurityPrivilege 752 msiexec.exe Token: SeTakeOwnershipPrivilege 752 msiexec.exe Token: SeLoadDriverPrivilege 752 msiexec.exe Token: SeSystemProfilePrivilege 752 msiexec.exe Token: SeSystemtimePrivilege 752 msiexec.exe Token: SeProfSingleProcessPrivilege 752 msiexec.exe Token: SeIncBasePriorityPrivilege 752 msiexec.exe Token: SeCreatePagefilePrivilege 752 msiexec.exe Token: SeCreatePermanentPrivilege 752 msiexec.exe Token: SeBackupPrivilege 752 msiexec.exe Token: SeRestorePrivilege 752 msiexec.exe Token: SeShutdownPrivilege 752 msiexec.exe Token: SeDebugPrivilege 752 msiexec.exe Token: SeAuditPrivilege 752 msiexec.exe Token: SeSystemEnvironmentPrivilege 752 msiexec.exe Token: SeChangeNotifyPrivilege 752 msiexec.exe Token: SeRemoteShutdownPrivilege 752 msiexec.exe Token: SeUndockPrivilege 752 msiexec.exe Token: SeSyncAgentPrivilege 752 msiexec.exe Token: SeEnableDelegationPrivilege 752 msiexec.exe Token: SeManageVolumePrivilege 752 msiexec.exe Token: SeImpersonatePrivilege 752 msiexec.exe Token: SeCreateGlobalPrivilege 752 msiexec.exe Token: SeBackupPrivilege 2040 vssvc.exe Token: SeRestorePrivilege 2040 vssvc.exe Token: SeAuditPrivilege 2040 vssvc.exe Token: SeBackupPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeRestorePrivilege 828 DrvInst.exe Token: SeRestorePrivilege 828 DrvInst.exe Token: SeRestorePrivilege 828 DrvInst.exe Token: SeRestorePrivilege 828 DrvInst.exe Token: SeRestorePrivilege 828 DrvInst.exe Token: SeRestorePrivilege 828 DrvInst.exe Token: SeRestorePrivilege 828 DrvInst.exe Token: SeLoadDriverPrivilege 828 DrvInst.exe Token: SeLoadDriverPrivilege 828 DrvInst.exe Token: SeLoadDriverPrivilege 828 DrvInst.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 752 msiexec.exe 752 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1936 wrote to memory of 1872 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 1872 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 1872 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 1872 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 1872 1936 msiexec.exe MsiExec.exe PID 1872 wrote to memory of 2012 1872 MsiExec.exe rundll32.exe PID 1872 wrote to memory of 2012 1872 MsiExec.exe rundll32.exe PID 1872 wrote to memory of 2012 1872 MsiExec.exe rundll32.exe PID 2012 wrote to memory of 788 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 788 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 788 2012 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\range_their.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 5FA738E93329432454BBDCC07352916E2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI59C5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7101071 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp6182.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "00000000000004A8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6182.dllFilesize
970KB
MD5c27a1d6ebc0ea34edb928b84031b222e
SHA1803b1bb8dba1fde73300308171bbca4eae04ec08
SHA256f634d3e4fd753a64b5eab7a3d74700b84c8bc7ada35b3583550f9f61bf3e6dbd
SHA5126f128f9dd8fd71a580d07fd32a6131a3c1ea8dae8b87edcd5adbbe2c88777dff5a4ab7ba453e5fca74429b13d1f86b3064482db8cca41e846a3e8fac6fca60c7
-
C:\Windows\Installer\MSI59C5.tmpFilesize
413KB
MD57b045b56ba2b1ad587a45648e50e4975
SHA188dc8c279003919ba2610dd42a127eef562e88e7
SHA2567ba315650da329a02499ae02fad5e0aacd98964412b25bfce348af68cc06b692
SHA5129f99acfbb05eccead3486100ac86097384808c93b01bdfe964bfb91bd6fb931139650da3dab14dd3d0df50b5983c6b733e64205e0afada0452aa8acb79e71722
-
\Users\Admin\AppData\Local\Temp\tmp6182.dllFilesize
970KB
MD5c27a1d6ebc0ea34edb928b84031b222e
SHA1803b1bb8dba1fde73300308171bbca4eae04ec08
SHA256f634d3e4fd753a64b5eab7a3d74700b84c8bc7ada35b3583550f9f61bf3e6dbd
SHA5126f128f9dd8fd71a580d07fd32a6131a3c1ea8dae8b87edcd5adbbe2c88777dff5a4ab7ba453e5fca74429b13d1f86b3064482db8cca41e846a3e8fac6fca60c7
-
\Users\Admin\AppData\Local\Temp\tmp6182.dllFilesize
970KB
MD5c27a1d6ebc0ea34edb928b84031b222e
SHA1803b1bb8dba1fde73300308171bbca4eae04ec08
SHA256f634d3e4fd753a64b5eab7a3d74700b84c8bc7ada35b3583550f9f61bf3e6dbd
SHA5126f128f9dd8fd71a580d07fd32a6131a3c1ea8dae8b87edcd5adbbe2c88777dff5a4ab7ba453e5fca74429b13d1f86b3064482db8cca41e846a3e8fac6fca60c7
-
\Users\Admin\AppData\Local\Temp\tmp6182.dllFilesize
970KB
MD5c27a1d6ebc0ea34edb928b84031b222e
SHA1803b1bb8dba1fde73300308171bbca4eae04ec08
SHA256f634d3e4fd753a64b5eab7a3d74700b84c8bc7ada35b3583550f9f61bf3e6dbd
SHA5126f128f9dd8fd71a580d07fd32a6131a3c1ea8dae8b87edcd5adbbe2c88777dff5a4ab7ba453e5fca74429b13d1f86b3064482db8cca41e846a3e8fac6fca60c7
-
\Users\Admin\AppData\Local\Temp\tmp6182.dllFilesize
970KB
MD5c27a1d6ebc0ea34edb928b84031b222e
SHA1803b1bb8dba1fde73300308171bbca4eae04ec08
SHA256f634d3e4fd753a64b5eab7a3d74700b84c8bc7ada35b3583550f9f61bf3e6dbd
SHA5126f128f9dd8fd71a580d07fd32a6131a3c1ea8dae8b87edcd5adbbe2c88777dff5a4ab7ba453e5fca74429b13d1f86b3064482db8cca41e846a3e8fac6fca60c7
-
\Windows\Installer\MSI59C5.tmpFilesize
413KB
MD57b045b56ba2b1ad587a45648e50e4975
SHA188dc8c279003919ba2610dd42a127eef562e88e7
SHA2567ba315650da329a02499ae02fad5e0aacd98964412b25bfce348af68cc06b692
SHA5129f99acfbb05eccead3486100ac86097384808c93b01bdfe964bfb91bd6fb931139650da3dab14dd3d0df50b5983c6b733e64205e0afada0452aa8acb79e71722
-
\Windows\Installer\MSI59C5.tmpFilesize
413KB
MD57b045b56ba2b1ad587a45648e50e4975
SHA188dc8c279003919ba2610dd42a127eef562e88e7
SHA2567ba315650da329a02499ae02fad5e0aacd98964412b25bfce348af68cc06b692
SHA5129f99acfbb05eccead3486100ac86097384808c93b01bdfe964bfb91bd6fb931139650da3dab14dd3d0df50b5983c6b733e64205e0afada0452aa8acb79e71722
-
memory/752-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/788-72-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/788-66-0x0000000000000000-mapping.dmp
-
memory/1872-56-0x0000000000000000-mapping.dmp
-
memory/2012-60-0x0000000000000000-mapping.dmp
-
memory/2012-64-0x0000000002040000-0x00000000020B0000-memory.dmpFilesize
448KB
-
memory/2012-63-0x0000000000210000-0x000000000021A000-memory.dmpFilesize
40KB
-
memory/2012-62-0x0000000001F70000-0x0000000001F9E000-memory.dmpFilesize
184KB