Analysis
-
max time kernel
101s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
wild_will.msi
Resource
win7-20220812-en
General
-
Target
wild_will.msi
-
Size
720KB
-
MD5
12fef89480f3c38d0949f7fd9458856d
-
SHA1
8ed8d7bf9c6ffc2934e5c9773692ded50f87ceec
-
SHA256
2bd43175f33d5e03ae53c00541a357c3578a158f56d8b20b9099a45ccebc801a
-
SHA512
0b4e9035905c9da6e7b0d8e0eeda3f6e7b8522135aec15eea14b85bb0966b5058f3443aa054983f00918b29fd3e699efca3a49030ee195c7b3f09d6c667e2a2f
-
SSDEEP
12288:pwHL0D7vkCPumy9chfA+t78B0igC+/NHB01SlF1:2HL0f/zyt+x8BtZKB6SD
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 3 316 rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1460 MsiExec.exe 556 rundll32.exe 316 rundll32.exe 316 rundll32.exe 316 rundll32.exe 316 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
rundll32.exemsiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\MSI91C5.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI91C5.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI91C5.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6d90cc.msi msiexec.exe File opened for modification C:\Windows\Installer\6d90cc.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\6d90cf.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI91C5.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\6d90cd.ipi msiexec.exe File opened for modification C:\Windows\Installer\6d90cd.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI91C5.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA556.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exemsiexec.exepid process 316 rundll32.exe 316 rundll32.exe 1076 msiexec.exe 1076 msiexec.exe 316 rundll32.exe 316 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 904 msiexec.exe Token: SeIncreaseQuotaPrivilege 904 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeSecurityPrivilege 1076 msiexec.exe Token: SeCreateTokenPrivilege 904 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 904 msiexec.exe Token: SeLockMemoryPrivilege 904 msiexec.exe Token: SeIncreaseQuotaPrivilege 904 msiexec.exe Token: SeMachineAccountPrivilege 904 msiexec.exe Token: SeTcbPrivilege 904 msiexec.exe Token: SeSecurityPrivilege 904 msiexec.exe Token: SeTakeOwnershipPrivilege 904 msiexec.exe Token: SeLoadDriverPrivilege 904 msiexec.exe Token: SeSystemProfilePrivilege 904 msiexec.exe Token: SeSystemtimePrivilege 904 msiexec.exe Token: SeProfSingleProcessPrivilege 904 msiexec.exe Token: SeIncBasePriorityPrivilege 904 msiexec.exe Token: SeCreatePagefilePrivilege 904 msiexec.exe Token: SeCreatePermanentPrivilege 904 msiexec.exe Token: SeBackupPrivilege 904 msiexec.exe Token: SeRestorePrivilege 904 msiexec.exe Token: SeShutdownPrivilege 904 msiexec.exe Token: SeDebugPrivilege 904 msiexec.exe Token: SeAuditPrivilege 904 msiexec.exe Token: SeSystemEnvironmentPrivilege 904 msiexec.exe Token: SeChangeNotifyPrivilege 904 msiexec.exe Token: SeRemoteShutdownPrivilege 904 msiexec.exe Token: SeUndockPrivilege 904 msiexec.exe Token: SeSyncAgentPrivilege 904 msiexec.exe Token: SeEnableDelegationPrivilege 904 msiexec.exe Token: SeManageVolumePrivilege 904 msiexec.exe Token: SeImpersonatePrivilege 904 msiexec.exe Token: SeCreateGlobalPrivilege 904 msiexec.exe Token: SeBackupPrivilege 2016 vssvc.exe Token: SeRestorePrivilege 2016 vssvc.exe Token: SeAuditPrivilege 2016 vssvc.exe Token: SeBackupPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1284 DrvInst.exe Token: SeRestorePrivilege 1284 DrvInst.exe Token: SeRestorePrivilege 1284 DrvInst.exe Token: SeRestorePrivilege 1284 DrvInst.exe Token: SeRestorePrivilege 1284 DrvInst.exe Token: SeRestorePrivilege 1284 DrvInst.exe Token: SeRestorePrivilege 1284 DrvInst.exe Token: SeLoadDriverPrivilege 1284 DrvInst.exe Token: SeLoadDriverPrivilege 1284 DrvInst.exe Token: SeLoadDriverPrivilege 1284 DrvInst.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe Token: SeTakeOwnershipPrivilege 1076 msiexec.exe Token: SeRestorePrivilege 1076 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 904 msiexec.exe 904 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1076 wrote to memory of 1460 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1460 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1460 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1460 1076 msiexec.exe MsiExec.exe PID 1076 wrote to memory of 1460 1076 msiexec.exe MsiExec.exe PID 1460 wrote to memory of 556 1460 MsiExec.exe rundll32.exe PID 1460 wrote to memory of 556 1460 MsiExec.exe rundll32.exe PID 1460 wrote to memory of 556 1460 MsiExec.exe rundll32.exe PID 556 wrote to memory of 316 556 rundll32.exe rundll32.exe PID 556 wrote to memory of 316 556 rundll32.exe rundll32.exe PID 556 wrote to memory of 316 556 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wild_will.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 5E3320C2816356A824294E15C9FCDEB22⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI91C5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7181038 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpA140.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B0" "000000000000031C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
C:\Windows\Installer\MSI91C5.tmpFilesize
413KB
MD5cb3d847e4014f2681f11aa55d2eafb37
SHA127cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e
SHA256f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70
SHA512dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0
-
\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
\Windows\Installer\MSI91C5.tmpFilesize
413KB
MD5cb3d847e4014f2681f11aa55d2eafb37
SHA127cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e
SHA256f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70
SHA512dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0
-
\Windows\Installer\MSI91C5.tmpFilesize
413KB
MD5cb3d847e4014f2681f11aa55d2eafb37
SHA127cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e
SHA256f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70
SHA512dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0
-
memory/316-72-0x0000000000120000-0x0000000000129000-memory.dmpFilesize
36KB
-
memory/316-66-0x0000000000000000-mapping.dmp
-
memory/556-60-0x0000000000000000-mapping.dmp
-
memory/556-64-0x000000001A320000-0x000000001A390000-memory.dmpFilesize
448KB
-
memory/556-63-0x0000000001E50000-0x0000000001E5A000-memory.dmpFilesize
40KB
-
memory/556-62-0x0000000000480000-0x00000000004AE000-memory.dmpFilesize
184KB
-
memory/904-54-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB
-
memory/1460-56-0x0000000000000000-mapping.dmp